GitHub now rolling out mandatory 2FA for developers

Making good on its promise from May 2022, code repository GitHub is beginning to require developers who contribute code to the site to enable two-factor authentication (2FA) on their accounts.

The policy, which officially went into effect on March 13 this year, will begin with “smaller groups” and subsequently expand to encompass the entire GitHub developer community by the end of the year. GitHub will inform those whose accounts are selected that they have 45 days to set up 2FA, after which any attempts to log in will trigger the requirement.

Fortunately, GitHub appears to have gone out of its way to make the onboarding process as easy as possible for developers—which is important, given that user experience and complexity are some of the biggest hindrances to widespread 2FA adoption, according to Yubico research.

GitHub is allowing users to have both an authenticator app providing a time-based one-time password (TOTP) and an SMS number registered to their accounts. The repository will also now allow users locked out of their accounts to unlink email addresses from 2FA-enabled accounts, making it easier for those locked out to start another account using the same email.

Twenty-eight days after enabling 2FA, according to GitHub, users will also be asked to perform a checkup that ensures their authentication method is working properly.

GitHub is one of the primary hubs for the open-source community, and the new 2FA requirements are coming into play alongside widespread concerns about the state of software supply-chain security and potential exploitation of flaws and vulnerabilities in ubiquitous open-source software that developers might not even realize is part of their technology stack.

A recent Synopsys report on audited code bases, for example, found that 84% contained at least one open-source vulnerability, and 48% had at least one classified as severe.—TM