GitHub will require all developers to enroll in 2FA by the end of 2023

News
By published

One or more forms of two-factor authentication will be required

GitHub Webpage
(Image credit: Gil C / Shutterstock)

In an effort to further secure the developer accounts and code hosted on its platform, GitHub has announced that its users will need to enroll in two factor authentication (2FA) by the end of next year.

More specifically, anyone that contributes code on the Microsoft-owned platform will need to enable one or more forms of 2FA.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

According to a new blog post from GitHub’s chief security officer Mike Hanley, the software supply chain starts with developers and developer accounts are frequently targeted by social engineering and account takeover. By protecting developers from these types of attacks, the company is taking the first and most critical step toward securing the software supply chain.

Going forward, GitHub plans to explore new ways of securely authenticating its users including passwordless authentication. In fact, just last year, the company added the ability to use security keys for authentication as part of its efforts to move towards a passwordless future.

Securing the software supply chain

Back in November of last year, GitHub committed to new investments in npm account security following npm package takeovers that were the result of developer accounts without 2FA enabled that had been compromised.

Although zero-day vulnerabilities get a lot of attention online, lower-cost attacks such as social engineering, credential theft or data leaks are actually responsible for most security breaches.

Read More

> GitHub is getting better at hunting down your dangerous code

> The latest GitHub update solves major headaches for developers

> GitHub wants to help developers spot security issues before they get too serious

Compromised accounts on GitHub can be used to steal private code or even to push malicious changes to that code. Unfortunately, not only individuals and their organizations associated with these compromised accounts are at risk but also any users of the affected code.

The best defense against compromised user accounts is moving beyond basic password-based authentication. However, only 16.5 percent of all active GitHub users today and 6.44 percent of npm users use one or more forms of 2FA.

GitHub users have plenty of time to prepare for this change and the company recently launched 2FA for GitHub mobile on iOS and Android. Those interested in learning how to configure GitHub Mobile 2FA can check out this support document to get started.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
digital key
Microsoft really wants users to ditch passwords and switch to passkeys
Security padlock in circuit board, digital encryption concept
MFA alone won’t protect you in 2025: the new cybersecurity imperative
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
Microsoft is changing the way logins work: here’s what that means for you
Isometric demonstrating multi-factor authentication using a mobile device.
Google is ditching SMS - and will now use QR codes for Gmail account authentication
Latest in Security
NordProtect logo
Standalone identity theft protection from Nord Security is now available
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
Ofcom cracks down on UK tech firms, will issue sanctions for illegal content
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
3d rendering of a submarine power cable on the seabed
Subsea internet cables can now ‘listen’ for sabotage using irregular pulses of light
Dark Web monitoring
A worrying critical security flaw in Apache Tomcat could let hackers take over servers with ease
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
Latest in News
an image of the Samsung Galaxy S24 Ultra
Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal
GIMP 3.0 interface from the website
Our favorite free photo editor finally got the update it deserves - and these are the top 5 features designers should know about
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
John Loeffler holding the Ryzen 7 7800X3D
Great news! The best gaming CPU ever made is finally available for it's original MSRP again
Garmin Instinct 3
A new Garmin study hints at the link between burning calories and happiness, and I've got good and bad news
More about security
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

These fake GitHub "security alerts" could actually let hackers hijack your account
Dark Web monitoring

A worrying critical security flaw in Apache Tomcat could let hackers take over servers with ease
an image of the Samsung Galaxy S24 Ultra

Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
See more latest
Most Popular
an image of the Samsung Galaxy S24 Ultra
Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
GIMP 3.0 interface from the website
Our favorite free photo editor finally got the update it deserves - and these are the top 5 features designers should know about
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
MOZA sim accessories
The cutting-edge controllers that'll make your sim feel incredibly real
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
AMD RX 9070 GPU models
We won't be seeing any Radeon RX 9000 series GPUs from MSI - AMD prioritizes other board partners instead
John Loeffler holding the Ryzen 7 7800X3D
Great news! The best gaming CPU ever made is finally available for it's original MSRP again
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
Verdansk returns to Warzone in a matter of weeks and I’m dreaming of the return of two iconic weapons - here’s what you need to know about its release date and what to expect
The Ryzen AI Max+ 395 could power the latest generation of powerful mini PCs
The AMD Ryzen AI Max+ 395 dominates as the "most powerful" APU on the market, but its competition is questionable