Jump to content
  • The time has come: GitHub expands 2FA requirement rollout March 13


    Karlston

    • 525 views
    • 3 minutes
     Share


    • 525 views
    • 3 minutes

    Certain types of users enroll first, but it will be universal by year's end.

     

    Software development tool GitHub will require more accounts to enable two-factor authentication (2FA) starting on March 13. That mandate will extend to all developers who contribute code on GitHub.com by the end of 2023.

     

    GitHub announced its plan to roll out a 2FA requirement in a blog post last May. At that time, the company's chief security officer said that it was making the move because GitHub (which is used by millions of software developers around the world across myriad industries) is a vital part of the software supply chain. Said supply chain has been subject to several attacks in recent years and months, and 2FA is a strong defense against social engineering and other particularly common methods of attack.

     

    When that blog post was written, GitHub revealed that only around 16.5 percent of active GitHub users used 2FA—far lower than you'd expect from technologists who ought to know the value of it.

     

    In December, GitHub laid out the details of the plan that goes into effect for more people in a few days. The company will identify specific subsets of users required to jump on the bandwagon first, such as enterprise and organization members, users who contributed code to critical repositories, and so on.

     

    Those users receive periodic reminders within the product and via email 45 days before the requirement takes effect. Starting on their first login after the 2FA deadline, they get daily reminders to enable 2FA. If they still have not done so seven days after that, they will be unable to access most GitHub features until they do. Twenty-eight days after that, GitHub will initiate a "2FA check-up" to ensure that it's working correctly and that the user can still access their account.

     

    Over the course of 2023, more and more accounts will be brought into this process, with all contributing developer accounts included by the end of the year, GitHub says.

     

    This is not the introduction of 2FA for GitHub accounts. Users have long been able to opt in to 2FA for their individual accounts, and enterprise organizations have been able to require 2FA from all members for a while.

     

    GitHub has been gradually rolling out the requirement to specific types of users over the past several months as well. For example, it announced in December that "maintainers of packages with more than 1 million weekly downloads or more than 500 dependents" would have to enable 2FA. Before that, it required 2FA for contributors to JavaScript libraries distributed via NPM.

     

    If you're a GitHub user, you'll have to watch for an email or in-app notification letting you know when your ticket is up.

     

     

    The time has come: GitHub expands 2FA requirement rollout March 13


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...