GitHub to require 2FA from active developers by the end of 2023

GitHub announced today that all users who contribute code on its platform (an estimated 83 million developers in total) will be required to enable two-factor authentication (2FA) on their accounts by the end of 2023.

Active contributors who will have to enable 2FA include but are not limited to GitHub users who commit code, use Actions, open or merge pull requests, or publish packages.

Developers can use one or more 2FA options, including physical security keys, virtual security keys built into devices like phones and laptops, or Time-based One-Time Password (TOTP) authenticator apps.

Even though SMS-based 2FA is also an option (in some countries), GitHub urges switching to security keys or TOTPs since threat actors can bypass or steal SMS 2FA auth tokens.

"GitHub.com organization and enterprise owners can also require 2FA for members of their organizations and enterprises," Chief Security Officer Mike Hanley said.

"Note that organization and enterprise members and owners who do not use 2FA will be removed from the organization or enterprise when these settings are enabled."

This is GitHub's latest step to further secure the software supply chain from attacks by moving away from basic password-based auth.

The code hosting platform previously announced that it would require email-based device verification and the deprecation of account passwords for authenticating Git operations.

GitHub also disabled password auth via the REST API in November 2020 and added support for securing SSH Git operations using FIDO2 security keys in May 2021.

GitHub also improved account security over the years by adding two-factor authentication, sign-in alerts, blocking the use of compromised passwords, and WebAuthn support.

Why 2FA?

Enabling two-factor authentication on GitHub accounts increases resilience against takeover attempts by blocking attempts to use stolen credentials or reused passwords in hijack attacks.

As Microsoft's Director of Identity Security Alex Weinert explained a couple of years ago, "your password doesn't matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA."

He also said that the "use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population."

Google also previously revealed that "simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks," with "zero users that exclusively use security keys fell victim to targeted phishing."

Hanley added today that, although 2FA has already proven a simple way to secure accounts against hijacking, "only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA."

GitHub provides detailed information on how to configure 2FA for your GitHub account, recover accounts when losing 2FA credentials, and disable 2FA for personal accounts.