GitHub will require all users who contribute code on the platform to enable two-factor authentication (2FA) as an additional protection measure on their accounts by the end of 2023.
Two-factor authentication increases the security of accounts by introducing an additional step in the login process that requires entering a one-time code.
For GitHub users, account takeovers can lead to the introduction of malicious code for supply chain attacks that, depending on the project’s popularity, may have a far-reaching impact.
Imposing 2FA as a mandatory measure for all GitHub accounts will make the platform a safer space where users can feel more confident about the quality of the code they download from repositories.
Earlier in the year, the software hosting and collaboration platform announced a similar decision that concerned active developers of high-impact projects with over a million downloads/week or over 500 dependents.
Today, the 2FA requirement is expanded to the entire user base, covering approximately 94 million users.
While GitHub had announced this decision previously, it has now shared more details about how it will implement the new measure.
Rolling out the 2FA requirement
GitHub will roll out mandatory 2FA on all GitHub accounts beginning in March 2023, pushing it at first to select groups of contributors.
The feature rollout will be evaluated before it’s scaled to larger groups, measuring onboarding rates, account lockout and recovery, and support ticket volumes.
GitHub says the pool of larger groups will be built using the following criteria:
- Users who published GitHub or OAuth apps or packages
- Users who created a release
- Users who are Enterprise and Organization administrators
- Users who contributed code to repositories deemed critical by npm, OpenSSF, PyPI, or RubyGems
- Users who contributed code to the approximate top four million public and private repositories
Those who receive advance notice to enable 2FA via email will be given a 45-day period to do it.
Upon reaching the deadline, the users will start seeing a prompt to enable 2FA on GitHub for another week, and if they fail to take action, they will be blocked from accessing GitHub features.
“This one-week snooze period only starts when you sign in after the deadline, so if you’re on vacation, don’t worry – you won’t come back locked out of GitHub.com,” clarifies the announcement.
Twenty-eight days after enabling 2FA, the users will undergo a mandatory check-up to confirm the new security setup is working as expected while allowing users to reconfigure their 2FA settings and recover any lost codes.