GitHub has announced that it will require two factor authentication for users who contribute code on its service.
“The software supply chain starts with the developer,” wrote GitHub chief security officer Mike Hanley on the company blog. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”
Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds’ Orion monitoring tool and used it to gain access to over 18,000 companies. GitHub has also had its own problems, such as when access to npm was compromised.
Hence its decision to require 2FA “by the end of 2023” for users who commit code, open or merge pull requests, use Actions, or publish packages.
GitHub already offers 2FA, requires contributors of popular packages (including npm) to employ it, and states that 16.5 per cent of active users already employ the technique.
Why the rest have until sometime in 2023 to adopt 2FA isn’t explained in Hanley’s post, beyond his assertion that “GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this.”
The post also states that GitHub will “actively explore new ways of securely authenticating users” and add more ways to recover accounts.
“Improvements that help prevent and recover from account compromise” are also on the agenda.
Hanley’s post states that details of GitHub’s 2FA implementation will emerge in “coming months”. ®