GitHub will roll out two-factor authentication to all contributing developers on its platform by the end of 2023.
GitHub began the transition in February 2022 with the registration of all maintainers of the top-100 packages on the npm registry in mandatory 2FA. However, the company stated that only 16.5% of active GitHub users and 6.44% of npm users have enabled one or more forms of 2FA.
The new 2FA requirement aims to reduce the risk of social engineering attacks, login theft, and other tactics used to gain access to developer accounts. It will also help secure the software supply chain.
According to Myles Borins, product manager at GitHub, about 88% of the top 100 maintainers have already activated 2FA.
To continue the trend of getting more participants to use multi-factor authentication, GitHub plans to register maintainers of all powerful packages, which include packages with more than 500 dependents or one million weekly downloads.
GitHub also identified recommendations to protect the software supply chain, including configuring 2FA authentication for personal accounts, connecting to GitHub using SSH keys, centralizing user authentication, configuring 2FA for organizations, and creating vulnerability programs for dependencies.
Others include securing their communication tokens, keeping vulnerable coding patterns from their repository, signing their builds, and tightening security for GitHub actions.
The sources for this piece include an article in TechRepublic.