Users who upload code to the site will need to enable one or more forms of 2FA by the end of 2023 to continue using the platform.
GitHub will require all users who contribute code to the platform to enable one or more forms of two-factor authentication (2FA).
The Microsoft-owned company says, only 16.5% of active GitHub users and 6.44% of npm users use 2FA and fewer that many would have expected.
The platform said the move was “part of a platform-wide effort to secure the software ecosystem through improving account security.”
GitHub has already taken a few steps beyond basic password-based authentication, including withdrawing basic authentication for git and its API operations, and requiring device verification with email in addition to a username and password.
The platform said: “2FA is a powerful next line of defense.”Compromised accounts can be used to steal private code or push malicious changes to that code
Mike Hanley, GitHub’s chief security officer wrote in an announcement compromised accounts can be used to steal private code or push malicious changes to that code.
“This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial,” said Hanley
Andrew Hay, COO at LARES Consulting, branded GitHub’s decision “a great move towards increasing the complexity of account takeovers.”
However, Hay expressed concern about what could happen if some GitHub contributors do not implement 2FA.
“One design decision, that may cause some issues, is that GitHub stated that it will remove enterprise members and owners who do not use 2FA from the organisation or enterprise once these settings are enabled,” said Hay.
“We don’t expect this to cause many issues, but it may lead to some calls to the support desk if a user finds that they can no longer access the code repositories they once had access to.” he said.
GitHub has also enrolled maintainers of the first 100 npm packages in mandatory 2FA to prevent attacks on the software supply chain. It plans to expand to maintainers of the first 500 packages this month and then expand it to all packages with more than 500 employees or 1 million downloads per week.
Related :See Githubs new enterprise 3.5 server advanced security features
