GitHub wants to arm itself against supply chain attacks. Two-factor authentication (2FA) will be mandatory for all users who upload code to the platform.

Users who contribute code, use Actions, open pull requests or merge and publish packages are obliged to use 2FA. Every end user lacking 2FA will be removed from the platform. Users have until the end of 2023 to apply for 2FA.

Different options

Developers have two different 2FA options: security keys for laptops or phones and Time-based One-Time Password (TOTP) authentication apps. According to GitHub, SMS-based authentication isn’t recommended as it can be relatively easily intercepted.

Combating supply chain attacks

GitHub is mandating the change to better protect itself against supply chain attacks. One important step is to stop using traditional login methods such as passwords.

GitHub has been working on security increases for some time. For instance, devices must be authenticated via e-mail, and the use of account passwords to authenticate Git processes has been discontinued. Password authentication via the REST API was abolished as well. Support for SSH Git work using FIDO2 security keys came about last year.

Furthermore, the platform developed its own 2FA service, added support for sign-in alerts and automatically blocks compromised passwords.

Tip: GitHub is transitioning users to 2FA