Here is some news that is both straightforward and still a long time out but nevertheless important: by the end of 2023, GitHub will require all users who contribute code on the platform to enable one or more forms of two-factor authentication (2FA).
And that’s pretty much it for the news. Today, the Microsoft-owned company says, only 16.5% of active GitHub users and 6.44% of npm users use 2FA. That is not a lot, and frankly fewer than I would have expected.
“Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial,” Mike Hanley, GitHub’s chief security officer, writes in today’s announcement.
He also notes that the company is trying to make sure that the extra layer of security doesn’t come at the expense of the user experience. Hence the long time between today’s announcement and when it will enforce this. “Our end of 2023 target gives us the opportunity to optimize for this,” Hanley explains. Switching to 2FA involves some changes to the user experience both on the command line and the GitHub web interface.
It’s worth noting that earlier this year, GitHub also enrolled the maintainers of the top-100 npm packages in mandatory 2FA to prevent software supply chain attacks. It plans to expand to the maintainers of top-500 packages this month and then later expand that to all packages with more than 500 dependents or 1 million weekly downloads.