GitHub will require all users who provide code on the platform to use 2FA as part of the latest security enhancements.
Attacks on the software supply chain are on the rise. GitHub, which has more than 83 million users contributing to the code, is approaching a plan to protect developers and the software supply chain with this big policy change message.
“At GitHub, we believe that our unique position as a home for all developers gives us both the opportunity and the responsibility to raise the bar of security in the software development ecosystem,” wrote Mike Hanley, GitHub’s chief security officer, in a blog post.
“As we invest deeply in our platform and the wider industry to improve the overall security of the software supply chain, the value of this investment is fundamentally limited if we do not address the continuing risk of account compromise.
GitHub is committed to investing in the security of the npm account after compromising accounts without 2FA enabled led to packet swallowing.
“Compromised accounts can be used to steal private code or to make malicious changes to that code. This puts at risk not only the individuals and organizations associated with the compromised accounts, but also all users of the affected code, “explains Hanley.
“As a result, the potential for downstream impacts on the wider software ecosystem and supply chain is significant.”
Today, only about 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA.
Previous efforts by GitHub to protect developers include search and invalidation of known compromised user passwords, offers stable support for WebAuthn security keysand enroll all npm publishers in enhanced login verification.
Following the policy change announced today, GitHub will require all developer accounts to activate one or more forms of 2FA by the end of 2023.
We asked GitHub to comment on why it decided on such a long transition period and that was the answer:
“While we are excited to improve the adoption of 2FA, we also recognize that security that cannot be used is not significant security. Taking the time to provide a seamless, affordable experience for developers helps us ensure a successful implementation and also serves to normalize 2FA as something that should not be considered inconvenient.
We believe that time and investment will allow us to make the experience even more amazing in the service of our goal of improving adoption. We also saw great success in the phased implementation with our application of 2FA for npm. This allowed us to ensure that we were going in the right direction, to collect feedback from customers and to adapt our approach if necessary.
While it’s great to see GitHub recognize the risks of compromised accounts, many will still question the need for such a long delay in implementing the policy given the current increased risks.
An increasing number of services already require 2FA, and we are confident that GitHub and its users could do the same by the end of this year to prevent further attacks from compromised accounts.
Update: Added response from GitHub on the reasons for the long transition period.
Want to learn more about cybersecurity and the cloud from industry leaders? Take a look Cyber Security & Cloud Expo takes place in Amsterdam, California and London.
Explore other upcoming TechForge-driven corporate technology events and webinars here.