GitHub to make 2-factor authentication compulsory for developers

Open-source software development platform GitHub has announced that it will make 2-factor authentication compulsory for its user base of over 83 million developers globally.  

“GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023,” wrote Mike Hanley, Chief Security Officer, GitHub, in a blogpost. 

“As standards evolve, we’ll continue to actively explore new ways of securely authenticating users, including passwordless authentication,” Hanley added. 

As of November 2021, the platform had 7.2 million developers from India alone, according to a company statement. 

The move came in the backdrop of a security breach at GitHub. The platform confirmed a security breach saw a hacker download data from dozens of private code repositories of GitHub.  

The security breach saw unauthorised access to the npm production infrastructure, along with other repositories, accessed through a compromised AWS API key on April 12. Npm is a package manager for JavaScript and is the world’s largest software registry with 75 billion downloads a month.   

In November 2021, GitHub had announced new investments in its npm account security. On February 1 this year, the company made 2FA compulsory for the top 100 npm package users.   

GitHub said that most security breaches were not zero-day attacks, i.e., they were not attacks that misused a serious software security flaw that the vendor was unaware of, but rather involved lower-cost attacks such as the likes social engineering (a manipulation technique that exploits human error to gain private information), credential theft or leakage to compromise accounts, which are later used to steal private code. 

“The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial,” wrote Hanley. 

Hence to avoid such instances, GitHub said that 2FA was the best method currently to negate the chances hackers have in carrying out attacks.  On 7 March this year, Sophos reported that open-source computer hardware company Adafruit Industries accidentally exposed customer data through the GitHub account of a former employee.