GitHub To Require Two-Factor Authentication
Tuesday, 10 May 2022

GitHub will require all users who contribute code on to enable one or more forms of two-factor authentication (2FA) by the end of 2023.

The announcement was made by Mike Hanley, Chief Security Officer at GitHub.


Hanley said:

"GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this."

He said that GitHub will continue to actively explore new ways of securely authenticating users, including passwordless authentication, and that developers can expect more options for authentication and account recovery.

Back in January, GitHub announced that developers can use GitHub Mobile on iOS and Android as an easy-to-use two factor authentication mechanism. This option was added to existing authentication options including security keys and WebAuthn, one-time passcodes, and SMS.

The addition of mobile authentication followed a commitment last year by GitHub to new investments in npm account security following npm package takeovers that compromised developer accounts without 2FA enabled.

All the maintainers of the top 100 GitHub packages on the npm registry have now been enrolled in mandatory 2FA, and all npm accounts now use enhanced login verification. On May 31, 2022 this will be extended to all maintainers of the top 500 packages, then maintainers of all high-impact packages, those with more than 500 dependents or 1 million weekly downloads will follow in the third quarter of the year.

GitHub has also deprecated basic authentication for git operations and requires email-based device verification, in addition to a username and password.

GitHub’s own research has found that only around one in six active GitHub users currently have two-factor authentication enabled on their accounts:

"Today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA."

Hanley said that moving beyond basic password-based authentication is vital to prevent compromised accounts being used to steal private code or push malicious changes to that code.


More Information


Related Articles

GitHub Advanced Security Adds Secret Scanning

GitHub Enterprise Adds Centralized User Accounts

GitHub Adds New Code Security Features

GitHub Acquires Pull Panda

Counting Vulnerabilities In Open Source Projects and Programming Languages

Don't Neglect Open Source Security 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


PHP 8.3 Released

PHP 8.3 has been released with improvements including explicit typing of class constants, deep cloning of readonly properties, and additions to randomness functionality.

Visual Studio Code Adds More Audio Cues

Visual Studio Code has been updated with the addition of more audio cues, and improvements to the Python extension.

More News




or email your comment to: