GitHub is set to require two-factor authentication (2FA) for all developers who contribute code to any project on the platform, a move designed to bolster the software supply chain.
The Microsoft-owned code-hosting platform announced last May that it intended to make 2FA mandatory by the end of 2023, though it had started the process earlier that year for the top 100 packages, followed in November by other “high-impact” packages. These were defined as packages with more than 1 million weekly downloads, or more than 500 dependents (projects that use the package in question).
Now, GitHub has confirmed that a platform-wide enforcement will begin on March 13, 2023 (four days from now), a process that will roll out incrementally to different groups of developers and project administrators throughout the rest of the year.
With some 100 million developer users, GitHub is a pivotal part of the global software supply chain. And while concerns around software supply chain security have abounded for a while, a spate of high-profile attacks in recent years have thrust the issue to the top of political agendas globally. This includes the breach at U.S. software company SolarWinds in 2020 which impacted a slew of government and corporate entities that used the software, as well as the critical Log4Shell security flaw that emerged in a popular open source logging tool called Log4j.
Such prominent security incidents spurred the Biden administration into action back in 2021 when it issued an executive order designed to secure the country’s cyber defenses. And last week, the government published a new cybersecurity strategy that included calls for Big Tech to shoulder more of the responsibility for ensuring that their systems are robust, something that mandatory 2FA will go some way toward aiding.
Open source software in particular has been a major focal point of the administration’s cybersecurity efforts over the past couple of years, due in large part to its pervasiveness. Indeed, the vast majority of software contains at least some open source components, and many of those components are the handiwork of one or two developers who work on it in their spare time with little in the way of financial support.
And it’s against that backdrop that GitHub has been pushing the 2FA agenda over the past year, as it looks to reduce the chances of key open source projects being compromised by bad actors through social engineering or similar account takeover attempts.
GitHub’s staggered approach to enforcing 2FA is a calculated attempt to ensure that everyone who needs to be onboarded do so of their own volition, and in good time.
“This gradual rollout will let us make sure developers are able to successfully onboard, and make adjustments as needed before we scale to larger groups as the year progresses,” GitHub wrote in a blog post. “GitHub is central to the software supply chain, and securing the software supply chain starts with the developer.”
Developers who are targeted during this initial 2FA enrollment push will receive an email, and they will also see a banner on their GitHub dashboard asking them to sign up. They’ll then have 45 days to activate 2FA, with regular prompts during that period to comply. If 2FA is not configured within this 45-day period, they will be nudged to enable 2FA the next time they try to access their GitHub account, though they will have the choice to “snooze” this for a further week. After that, if they want to access any facet of their GitHub account, including the ability to publish code, they will have no option other than to set up 2FA.
GitHub users can choose their 2FA mechanism from SMS, physical security keys, third-party authenticator apps, and the GitHub mobile app, while GitHub advises that people should have more than one 2FA method activated as a fail-safe measure.
It’s worth noting that the 2FA push won’t end with the initial enrollment. Those that have set up 2FA will receive another prompt after 28 days asking them to validate their 2FA method, which is designed to prevent developers from being locked out of their accounts due to a misconfigured authenticator app or mis-typed mobile phone number. At this stage, if the user isn’t able to authenticate their account, they will be asked to reset their 2FA method without losing access to their account.
In terms of which developers can expect to start receiving 2FA prompts from March 13, well, GitHub has previously said that it will factor in various data points such as publishing frequency, whether they’re administrators at enterprises and whether they contribute to the more popular public and private repositories.
Following this initial rollout, GitHub said that it will apply any lessons learned to the wider rollout through 2023.