The new policy applies to anyone who contributes code to the platform.

GitHub announced this week that it will require all users to enable two-factor authorization (2FA) by the end of 2023. To be clear, the policy will apply not just to developers who contribute code to the GitHub website, but to all users who contribute code to any repository stored on GitHub.

Two-factor authentication typically requires users to enter a one-time code or password (OTP). Users can obtain the code through an SMS message or an authenticator app on smartphones.

GitHub does not recommend delivering the OTP via SMS, however, as it does not provide the same level of protection as an app or a security key, and is no longer recommended under NIST 800-63B. GitHub announced its own 2FA mechanism back in January.

Securing the software supply chain

If a GitHub user’s account is hijacked, the threat actor could introduce malicious code that corrupts all software projects related to the account. As such, forcing 2FA is hailed as a major step to “secure the software supply chain”.

GitHub also believes that the introduction of 2FA will make GitHub users “feel more confident about the quality of the code they download from repositories”, according to BleepingComputer.

In May, GitHub announced a similar mandate for active developers of high-impact projects with over a million downloads per week or more than 500 dependents.

The broader implementation should not come as a surprise. The platform announced back in August 2021 that it was transitioning users to 2FA. With today’s announcement, the 2FA requirement has been officially extended to the entire GitHub user base of approximately 94 million users.

Users who do not enable 2FA by the end of 2023 will be first given a 1-week grace period, after which they will be unable to access the platform.