Jump to content
  • GitHub to require all users to enable 2FA by the end of 2023


    Karlston

    • 708 views
    • 3 minutes
     Share


    • 708 views
    • 3 minutes

    GitHub will require all users who contribute code on the platform to enable two-factor authentication (2FA) as an additional protection measure on their accounts by the end of 2023.

     

    Two-factor authentication increases the security of accounts by introducing an additional step in the login process that requires entering a one-time code.

     

    For GitHub users, account takeovers can lead to the introduction of malicious code for supply chain attacks that, depending on the project’s popularity, may have a far-reaching impact.

     

    Imposing 2FA as a mandatory measure for all GitHub accounts will make the platform a safer space where users can feel more confident about the quality of the code they download from repositories.

     

    Earlier in the year, the software hosting and collaboration platform announced a similar decision that concerned active developers of high-impact projects with over a million downloads/week or over 500 dependents.

     

    Today, the 2FA requirement is expanded to the entire user base, covering approximately 83 million users.

     

    While GitHub had announced this decision previously, it has now shared more details about how it will implement the new measure.

    Rolling out the 2FA requirement

    GitHub will roll out mandatory 2FA on all GitHub accounts beginning in March 2023, pushing it at first to select groups of contributors.

     

    The feature rollout will be evaluated before it’s scaled to larger groups, measuring onboarding rates, account lockout and recovery, and support ticket volumes.

     

    GitHub says the pool of larger groups will be built using the following criteria:

     

    • Users who published GitHub or OAuth apps or packages
    • Users who created a release
    • Users who are Enterprise and Organization administrators
    • Users who contributed code to repositories deemed critical by npm, OpenSSF, PyPI, or RubyGems
    • Users who contributed code to the approximate top four million public and private repositories

     

    Those who receive advance notice to enable 2FA via email will be given a 45-day period to do it.

     

    Upon reaching the deadline, the users will start seeing a prompt to enable 2FA on GitHub for another week, and if they fail to take action, they will be blocked from accessing GitHub features.

     

    “This one-week snooze period only starts when you sign in after the deadline, so if you’re on vacation, don’t worry – you won’t come back locked out of GitHub.com,” clarifies the announcement.

     

    Twenty-eight days after enabling 2FA, the users will undergo a mandatory check-up to confirm the new security setup is working as expected while allowing users to reconfigure their 2FA settings and recover any lost codes.

     

     

    GitHub to require all users to enable 2FA by the end of 2023


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...