GitHub announced that it will require developers who contribute code to the repository to use two-factor authentication by the end of 2023, in a drive to better lock down the security of the software supply chain.
Just 16.5% of GitHub.com users currently use two-factor authentication, considered to be a substantially more secure method of logging in given that it requires more than just a password. The two-factor authentication requirement will affect GitHub.com's 83 million users, and is being announced well in advance to "make sure we get this right" in terms of the user experience for developers, said Mike Hanley, chief security officer at GitHub.
In an interview with Protocol, Hanley said the move "has a potential to really bolster the overall security of the software ecosystem." GitHub said that its enterprise customers will also be able to require their developers to use two-factor authentication when accessing their repositories.
The announcement by Microsoft-owned GitHub comes at a time of high anxiety in the enterprise about the potential security risks of open source software components. This is due in part to rising attacks against software supply chains — which jumped by more than 300% in 2021, according to a report from application protection firm Aqua Security.
Countless software development teams depend on the use of open source code from repositories such as GitHub. But the insertion of malicious code into a major open source project — perhaps enabled by a compromised password — can be catastrophic. With widely used open source code, if an adversary has control for even a short time, "it can be downloaded tens of thousands of times or hundreds of thousands of times," Hanley said.
GitHub has significantly ramped up its investments in security over the past year, Hanley said — and particularly since a supply chain attack in October that targeted a GitHub-owned provider of JavaScript components, npm. The attack resulted from compromised developer accounts that did not have two-factor authentication, according to GitHub.
In terms of the forthcoming requirement for contributors to utilize two-factor authentication with GitHub.com, the will allow for methods including hardware security keys and mobile push notifications that can be approved from the GitHub app, he said.