Skip to main content
close search
site logo

GitHub to begin rollout of 2FA security upgrade for developers

The enhancement is part of a wider series of security measures following a series of malicious cyberattacks.

Published March 9, 2023
David Jones's headshot
Reporter
Close-up Focus on Person's Hands Typing on the Desktop Computer Keyboard
gorodenkoff via Getty Images

GitHub will begin the rollout of a long-anticipated security upgrade, which requires all developers who contribute code on GitHub.com to enable two-factor authentication to access the platform before the end of 2023.

GitHub, starting on Monday, will begin notifying small groups of developers and administrators via email in order to allow time for adjustments. After the initial period, GitHub will scale the rollout into larger groups over the course of the year. 

The security upgrade is designed to offer more robust protection for developers who have been frequent targets of malicious cyber campaigns.

“Securing the software supply chain starts with the developer, and our 2FA initiative is part of a platform-wide effort to secure software development by improving account security,” Hirsch Singhal, staff product manager at GitHub, said via email.

GitHub users who are selected for enrollment will get a prompt after 28 days asking them to perform 2FA and confirm second-factor settings. 

GitHub previously announced the 2FA authentication plan for developers in May 2022, about six months after it rolled out enhancements to npm security as a result of npm package takeovers. GitHub made security changes to require maintainers of more than 1 million weekly downloads or more than 500 dependents to enable 2FA. 

As of May 2022, more than 83 million developers were on the platform, according to GitHub. About 20% of active users have enabled 2FA, according to Singhal. Millions of developers are expected to enable 2FA this year. 

Accounts will have a total of 45 days to configure 2FA and users will be notified when their deadline is pending. Users will be able to snooze notifications for up to seven days, however after that they will have only limited access to accounts. 

Users will have multiple options for 2FA, and can simultaneously use an authenticator app (TOTP) as well as an SMS number registered on their accounts. GitHub recommends security keys along with the TOTP app rather than SMS, as SMS has been found to be less secure. 

SMS is no longer recommended as an authentication method under NIST-800-63B guidelines. 

GitHub said is internally testing passkeys, which offer a combination of ease of use with resistance to phishing. 

Rival GitLab does not require 2FA, but is strongly recommended, according to Wayne Haber, director, engineering. Despite the lack of a mandate, users may be prompted to enter an emailed code that GitLab generates based on risk assessment in addition to entering username and password.  

GitLab has more than 30 million registered users. 

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell