GitHub has begun its official rollout of two-factor authentication (2FA) for developers who contribute code to the platform to enhance the security of accounts and the software supply chain.
GitHub first announced its intention to mandate 2FA for all code contributors in May 2022, and will begin the first group’s enrolment on Monday, March 13.
GitHub is allowing users to choose their preferred 2FA method – SMS, TOTP, security keys, or GitHub mobile. The rollout comes a week after the White House released an ambitious National Cybersecurity Strategy that puts responsibility on software vendors to secure the software ecosystem.
GitHub developers, administrators have 45 days to configure 2FA on accounts
GitHub will be reaching out to groups of developers and administrators over the course of the year start their 2FA enrollment, with the first being contacted next week.
Developers and administrators will then have 45 days to configure 2FA on their accounts. To ensure a smooth 2FA experience, GitHub is offering contributors authentication options, the development platform said. These include:
- Choice of preferred 2FA method: Users can choose among TOTP, SMS, security keys, or GitHub Mobile as their preferred 2FA method.
- Second-factor validation after 2FA setup: This helps avoid account lockout due to misconfigured authenticator applications (TOTP apps).
- Enrolment of second factors: Developers and administrators can register both an authenticator app (TOTP) and an SMS number to their account at the same time, which helps reduce account lock out by providing another accessible 2FA option.
- Email unlinking in case of 2FA lockout: Developers and administrators can unlink their email address from a two-factor enabled GitHub account in case they’re unable to sign in or recover it.
Protecting developers key to securing software supply chain
In a blog published last May, GitHub CSO Mike Hanley stated that developer accounts are frequent targets for social engineering and account takeover, and so protecting developers from attacks is the first and most critical step toward securing the software supply chain.
All users who contribute code on GitHub will be required to enable one or more forms of 2FA by the end of 2023, he added.
The goal is to move beyond basic password-based authentication to provide 2FA-enhanced defense. “Most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to,” Hanley wrote.
“Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organisations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.”
CybelAngel senior analyst David Sygula told CSO in May that while GitHub’s plans to implement 2FA across its platform will significantly reduce the chances of account takeover, it doesn’t mean GitHub users will stop sharing secrets in their repository.
“One of the issues is that repositories are made public; there is no need to log in, so multi-factor authentication won’t help with that. It’s a good practice, but it will be of little help in securing the supply chain.”