Anyone who contributes to Github’s code repositories will soon need to enable two-factor authentication (2FA) if they want to continue to have that privilege. The massive code-hosting platform has announced that 2FA will be mandatory for all contributors, and is giving everyone until the end of 2023 to comply with the new policy.
Those who do not implement 2FA before the end of next year will lose access to their accounts, and Github is planning to eliminate the accounts of enterprise members who do not upgrade their security posture. Critics noted that that could create some confusion amongst rank-and-file employees who find that they can no longer access code through a corporate account, though those same critics also stressed that Github’s decision was a sound one from a security perspective.
While Github already offers various forms of 2FA, uptake has been low amongst its user base. Only 16.5 percent of its 70 million active users are currently protecting their accounts with 2FA, and the rate is even lower (a scant 6.44 percent) amongst node package managers. Those numbers will presumably climb as the new deadline approaches, and more people make the switch to make sure they will still be able to share.
Until then, Github will continue to rely on device verification (carried out via email) for additional security. The latest news comes shortly after the debut of Github’s new 2FA Mobile app, which was released in January to make 2FA simpler for users on Android and iOS devices.
Though it had previously stopped short of making it mandatory, Github is a long-time supporter of The FIDO Alliance’s passwordless authentication protocols. The organization partnered with Yubico to enable the use of FIDO U2F and FIDO2 security keys in May of 2021, and it adopted the WebAuthn standard in 2019 to bring biometric authentication to web browsers.