GitHub to introduce 2FA requirement for developer accounts

GitHub

GitHub has announced plans that will require call code contributors to enable at least one form of two-factor authentication (2FA) as a security measure.

Although the requirement for the extra protection will not kick in immediately, it is something that developers need to be aware of if they want to continue to use the platform.

See also:

Announcing the news, GitHub’s Mike Hanley says: “as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023”.

Acknowledging that not everyone will be able to implement 2FA immediately, users are being given a while to adjust to the new security requirements:

GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this by the end of 2023.

The company says that it will keep an eye on evolving standards, and will continue to actively explore new ways of securely authenticating users, including passwordless authentication.

Ostensibly a sensible security move, not everyone is impressed by GitHub’s plans. Jasson Casey, CTO at Beyond Identity, says:

All companies must ensure the integrity of the software products they deliver to their customers. This is only achieved by building/linking code from verified developers and trusted 3rd parties, ensuring only those builds get packaged and helping customers verify the provenance of this entire custody chain.

While requiring 2FA for administrative console access is a sensible step, it does nothing to solve the code integrity problem. As well, many 2FA security solutions are extremely weak and fundamentally flawed – most password or legacy 2FA systems can be bypassed using off-the-shelf phishing and MITM exploits so this additional “security” layer isn’t that effective at all.’

More information is available in GitHub’s blog post.

Image credit: Piotr Swat / Shutterstock

Author: Martha Meyer