GitHub convinced 95% of code contributors to opt into 2FA—and support tickets went down

The Achilles’ heel of security upgrades? User resistance.

After all, security features like two-factor authentication (2FA) can introduce friction for users, who often feel the added steps interfere with their ability to do their jobs. But Microsoft-owned GitHub, the world’s largest code repository, said it was able to implement a 2FA mandate for millions of users with relatively few setbacks.

GitHub recently reported that since 2FA became required for code contributors in March 2023, around 95% of them have opted in—and 2FA opt-in has risen by 54% among all other active contributors, such as commenters.

Besides user complaints, transitions to multi-factor authentication often run into obstacles like increased workloads for IT support teams. Yet GitHub says the number of support tickets for 2FA account recovery that required “significant human intervention” have decreased since May 2023 and is now 54% lower.

Mike Hanley, GitHub’s chief security officer and SVP of engineering, explained to IT Brew the company was wary of simply imposing 2FA requirements on users and planned its rollout strategy around user engagement.

“We felt very strongly this was an opportunity to help basically raise the bar for everyone,” Hanley said.

GitHub first began requiring 2FA for contributors to npm, a JavaScript package manager that is frequently targeted by threat actors, in 2022. After seeing initial success from that decision, Hanley’s team spent months conducting interviews with stakeholders ranging from enterprise customers to open-source contributors and seeking feedback on 2FA implementation designs before enrolling its first cohorts in the sitewide rollout.

Hanley cited a well-known study, “Why Johnny Can’t Encrypt,” an evaluation of PGP email encryption that concluded new security tools aren’t effective for users who don’t already understand how to use them unless developers pay extra attention to usability. Bad outcomes can range from non-compliance to users assuming they’re protected by features that they set up incorrectly, he said.

“When people roll out new security features and functionality, it’s often built by people who know a lot about security, but don’t necessarily talk to the people who actually have to encounter that technology,” Hanley said. “And, of course, the outcome…is people spend all their time trying to figure out how to get around the thing that they perceive to be preventing them from getting their work done.”

Hanley said the team’s initial assumption was that GitHub would require additional support team members to handle complaints and user tickets during the transition. Yet the opposite happened, which he credited to optimizations to the account management and recovery processes implemented after user feedback, a phased approach, and steps like sending regular heads-up messages to remind users of deadlines.

The team “sort of ended up with the counterintuitive, but very delightful outcome of support ticket volume actually [dropping] down,” Hanley told IT Brew. For example, sending reminders to developers helped ensure their first encounter with GitHub’s 2FA wasn’t “immediately in a fully failed state.”

More than 75% of tickets from users trying to recover their accounts now come through GitHub’s automated review system, according to GitHub, which said the system has features designed to “dramatically” reduce the odds of users requiring human support.

It’s still too early for GitHub to proclaim any decrease in breaches, Hanley said. But the company’s next target is to decrease the number of users who authenticate via SMS, one of the more accessible but least secure 2FA methods. GitHub has no plans to deprecate SMS 2FA, but successfully lowered the percentage of users relying on it by 25% from 2023 to 2024.