GitHub has announced that two-factor authentication will be mandatory for all contributors to the code on the service.
“The software supply chain starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” said Mike Hanley, GitHub Chief Security Officer.
GitHub already offers two-factor authentication, requiring contributors to popular packages (including npm) to use it. The service claims that 16.5% of active users already use it.
It is unclear why the service decided to introduce two-factor authentication from the end of 2023, and not immediately. Henley’s post explains this with the words:
“GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this.”
The post also shows that GitHub will actively explore new ways to securely authenticate users and add more ways to recover accounts. Improvements to help prevent and recover from account hacking are also on the agenda.
GitHub promised to tell more about the introduction of two-factor authentication in the coming months.