GitHub will require all contributors who code on the platform to enable two-factor authentication (2FA), as an extra protection measure for their accounts, by 2023.
Two-factor authentication improves security by adding an extra step to the login process, which requires you to enter a unique code.
Account takeovers by GitHub users can result in malicious code being introduced to supply chain attacks. This could have a significant impact on project popularity.
The platform will be safer, and users will feel more confident downloading code from repositories if 2FA is added.
The software hosting and collaboration platform had earlier announced a similar decision. It concerned active developers of high-impact projects that receive over a million downloads per week or more than 500 dependents.
The 2FA requirement has been extended to all users, covering approximately 83 million.
Although GitHub had previously announced the decision, the company has now provided more information about how it will implement it.
GitHub will roll out mandatory 2FA for all GitHub accounts starting March 2023. It will first be available to selected groups.
Before the feature rollout is scaled to larger groups, it will be assessed for onboarding rates, account lockout, recovery, and support ticket volume.
GitHub claims that the pool of larger groups will consist of the following criteria:
- Users who have published GitHub and OAuth apps or packaged by others
- Users who created a release
- Administrators of Enterprise and Organizations
- Users who contributed code in repositories that were deemed critical by PyPI, OpenSSL, or RubyGems
- Users who contributed code to the approximate top four million public and private repositories
All those who have received email notice of 2FA will be allowed to complete it within 45 days.
After the deadline has passed, users will see a prompt asking them to enable 2FA for GitHub for a further week. If they take action, they may be allowed to access GitHub features.
The announcement clarifies, “The one-week snooze period starts when you sign in after the deadline. If you’re on vacation, don’t worry – you won’t be locked out of GitHub.com.”
Users will be checked every 28 days to ensure that 2FA is enabled. This will allow them to reset their 2FA settings and retrieve any codes they lost.
Related Stories: