GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this. As standards evolve, we’ll continue to actively explore new ways of securely authenticating users, including passwordless authentication. Developers everywhere can expect more options for authentication and account recovery, along with improvements that help prevent and recover from account compromise.
Why account security and 2FA matter
In November 2021, GitHub committed to new investments in npm account security in the wake of npm package takeovers resulting from the compromise of developer accounts without 2FA enabled. We continue to introduce improvements to npm account security, and are equally committed to securing the accounts of developers using GitHub.
Most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to. Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.
At GitHub, we believe that our unique position as the home for all developers means that we have both an opportunity and a responsibility to raise the bar for security across the software development ecosystem. While we are investing deeply across our platform and the broader industry to improve the overall security of the software supply chain, the value of that investment is fundamentally limited if we do not address the ongoing risk of account compromise. Our response to this challenge continues today with our commitment to drive improved supply chain security through safe practices for individual developers.
Get Started Today
Want to get a head start? We recently launched 2FA for GitHub Mobile on iOS and Android! Click here to learn how to configure GitHub Mobile 2FA today. To configure Mobile 2FA, you’ll need to have at least one other form of 2FA enabled. Expand the drop-down below to learn more.
Looking for a phishing-resistant WebAuthn security key experience or other options?
GitHub.com organization and enterprise owners can also require 2FA for members of their organizations and enterprises. Note that organization and enterprise members and owners who do not use 2FA will be removed from the organization or enterprise when these settings are enabled.
Over the coming months, we’ll share more details and timelines for future 2FA requirements for GitHub.com users. While we strongly believe 2FA for active contributors (for example, those who commit code, open or merge pull requests, use Actions, or publish packages) is the right thing to do, we also want to ensure a smooth and accessible experience, so look out for future improvements and new features designed to help you secure and recover your accounts.
Learn more about static analysis and how to use it for security research!
In this blog post series, we will take a closer look at static analysis concepts, present GitHub’s static analysis tool CodeQL, and teach you how to leverage static analysis for security research by writing custom CodeQL queries.