March 13, 2023

GitHub is planning to require two-factor authentication (2FA) for all developers who contribute code to any project on the platform, in an effort to strengthen the software supply chain.

Smaller groups will be required to enroll in 2FA, with GitHub selecting accounts for enrollment, the company announced on March 9. Millions of developers will be required to use one or more forms of 2FA.

Those who are chosen will be notified via email and will see a banner on GitHub.com requesting that they enroll. Users will have 45 days to configure two-factor authentication on their accounts. Notifications can be “snoozed,” or put on hold, for up to a week. The gradual rollout is designed to assist GitHub in ensuring user adoption, with adjustments made as needed, before the process is scaled to larger groups as the year progresses.

According to GitHub, the move is in line with the National Cybersecurity Strategy, which, among other things, places the onus and increased security responsibility on software vendors. And that on March 13, 2023, a platform-wide enforcement will begin, a process that will be phased in to different groups of developers and project administrators throughout the rest of the year.

As a preferred 2FA method, users can select TOTP (Time-based One-Time Password), SMS (Short Message Service), security keys, or GitHub Mobile. GitHub recommends using security keys and TOTPs whenever possible; SMS does not provide the same level of security and is no longer recommended by NIST 800-63B, according to the company.

However, the company advises users to use security keys, such as Yubikeys and TOTPs, citing the fact that SMS-based 2FA is less secure.

The sources for this piece include an article in TechRepublic.