GitHub is pushing for two-factor authentication (2FA) by requiring all users who contribute code to repositories hosted by GitHub to enable one or more forms of 2FA by the end of 2023. The move will finally affect 83 million developers count.
Explaining his motives, GitHub said most security breaches were not the result of exotic zero-day attacks, but rather included lower-cost attacks such as social engineering, identity theft or leaks, and other ways to provide security. attackers access victims’ accounts. Compromised accounts can be used to steal private code or push out malicious code changes, thus affecting application users. The potential for downstream impacts on the wider software ecosystem and supply chain is significant. The best protection is to go beyond password-based authentication, the company said.
GitHub has already taken steps in this direction by withdrawing GitHub’s basic Git operations authentication and REST API and requiring email-based device verification. In addition to a username and password, 2FA is a powerful next line of defense. Currently, only 16.5% of active GitHub users and 6.44% of NPM users use one or more forms of 2FA, GitHub said.
GitHub recently released 2FA for GitHub Mobile on iOS and Android. Those who want to configure GitHub Mobile 2FA can learn how to do it from a GitHub blog post from January 2022. The company expects to provide more options for secure authentication and account recovery, along with enhancements to recover from account compromise.
GitHub recorded all supporting the top 100 packages in the NPM registry in a mandatory 2FA in February and recorded all NPM accounts in an enhanced login check in March.
The company said that all supporting packages of the top 500 will be enrolled in the mandatory 2FA on May 31. Supporters of high-impact NPM packages, those with more than 500 dependent or one million weekly downloads, will be enrolled in 2FA in the third quarter of this year.
Copyright © 2022 IDG Communications, Inc.