GitHub To Require Two-Factor Authentication
Tuesday, 10 May 2022

GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.

The announcement was made by Mike Hanley, Chief Security Officer at GitHub.

githubdeklogo

Hanley said:

"GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this."

He said that GitHub will continue to actively explore new ways of securely authenticating users, including passwordless authentication, and that developers can expect more options for authentication and account recovery.

Back in January, GitHub announced that developers can use GitHub Mobile on iOS and Android as an easy-to-use two factor authentication mechanism. This option was added to existing authentication options including security keys and WebAuthn, one-time passcodes, and SMS.

The addition of mobile authentication followed a commitment last year by GitHub to new investments in npm account security following npm package takeovers that compromised developer accounts without 2FA enabled.

All the maintainers of the top 100 GitHub packages on the npm registry have now been enrolled in mandatory 2FA, and all npm accounts now use enhanced login verification. On May 31, 2022 this will be extended to all maintainers of the top 500 packages, then maintainers of all high-impact packages, those with more than 500 dependents or 1 million weekly downloads will follow in the third quarter of the year.

GitHub has also deprecated basic authentication for git operations and requires email-based device verification, in addition to a username and password.

GitHub’s own research has found that only around one in six active GitHub users currently have two-factor authentication enabled on their accounts:

"Today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA."

Hanley said that moving beyond basic password-based authentication is vital to prevent compromised accounts being used to steal private code or push malicious changes to that code.

 githubdeklogo

More Information

GitHub

Related Articles

GitHub Advanced Security Adds Secret Scanning

GitHub Enterprise Adds Centralized User Accounts

GitHub Adds New Code Security Features

GitHub Acquires Pull Panda

Counting Vulnerabilities In Open Source Projects and Programming Languages

Don't Neglect Open Source Security 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


GitHub Enterprise Server Adds Deployment Rollout Controls
11/03/2024

Version 3.12 of GitHub Enterprise Server, the self-hosted version of GitHub that organizations can install on their own servers, has been released with support for restricting deployment rollouts [ ... ]



Dart Adds WebAssembly Support
20/02/2024

Google has released Dart 3.3 with experimental support for applications compiled to WebAssembly, along with new extension types and a revamped JavaScript interop model.


More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info