GitHub will begin the rollout of a long-anticipated security upgrade, which requires all developers who contribute code on GitHub.com to enable two-factor authentication to access the platform before the end of 2023.
GitHub, starting on Monday, will begin notifying small groups of developers and administrators via email in order to allow time for adjustments. After the initial period, GitHub will scale the rollout into larger groups over the course of the year.
The security upgrade is designed to offer more robust protection for developers who have been frequent targets of malicious cyber campaigns.
“Securing the software supply chain starts with the developer, and our 2FA initiative is part of a platform-wide effort to secure software development by improving account security,” Hirsch Singhal, staff product manager at GitHub, said via email.
GitHub users who are selected for enrollment will get a prompt after 28 days asking them to perform 2FA and confirm second-factor settings.
GitHub previously announced the 2FA authentication plan for developers in May 2022, about six months after it rolled out enhancements to npm security as a result of npm package takeovers. GitHub made security changes to require maintainers of more than 1 million weekly downloads or more than 500 dependents to enable 2FA.
As of May 2022, more than 83 million developers were on the platform, according to GitHub. About 20% of active users have enabled 2FA, according to Singhal. Millions of developers are expected to enable 2FA this year.
Accounts will have a total of 45 days to configure 2FA and users will be notified when their deadline is pending. Users will be able to snooze notifications for up to seven days, however after that they will have only limited access to accounts.
Users will have multiple options for 2FA, and can simultaneously use an authenticator app (TOTP) as well as an SMS number registered on their accounts. GitHub recommends security keys along with the TOTP app rather than SMS, as SMS has been found to be less secure.
SMS is no longer recommended as an authentication method under NIST-800-63B guidelines.
GitHub said is internally testing passkeys, which offer a combination of ease of use with resistance to phishing.
Rival GitLab does not require 2FA, but is strongly recommended, according to Wayne Haber, director, engineering. Despite the lack of a mandate, users may be prompted to enter an emailed code that GitLab generates based on risk assessment in addition to entering username and password.
GitLab has more than 30 million registered users.