The move aims to strengthen the software supply chain and prevent attacks from bad actors through social engineering or similar account takeover attempts. The two-factor authentication mandate was initially announced by GitHub last May with the intention of making it mandatory by the end of 2023.
GitHub has confirmed that platform-wide enforcement will begin on March 13, 2023, and will be rolled out incrementally to different groups of developers and project administrators throughout the rest of the year.
With over 100 million developer users, GitHub is critical to the global software supply chain. Recent high-profile attacks have prompted the Biden administration to issue an executive order to secure the country’s cyber defenses, which included calls for Big Tech to shoulder more responsibility for ensuring their systems are robust.
GitHub’s push for mandatory 2FA aims to reduce the chances of key open-source projects being compromised by bad actors. It also aims to ensure that everyone who needs to be onboarded does so willingly and in good time.
45 days to activate
Developers who are targeted during the initial 2FA enrollment push will receive an email and a banner on their GitHub dashboard asking them to sign up. They’ll have 45 days to activate 2FA, with regular prompts during that period to comply. If 2FA is not configured within these 45 days, they will be prompted to enable 2FA the next time they try to access their GitHub account.
GitHub users can choose their 2FA mechanism from SMS, physical security keys, third-party authenticator apps, and the GitHub mobile app. GitHub advises people to activate more than one 2FA method.
Those that have set up 2FA will receive another prompt after 28 days asking them to validate their 2FA method, designed to prevent developers from being locked out of their accounts.
GitHub will factor in various data points such as publishing frequency, enterprise administrators, and contribution to popular public and private repositories when determining which developers will receive 2FA prompts from March 13. The platform will apply lessons learned during the initial rollout to the wider rollout through 2023.