Microsoft-owned open source software repository Github on Thursday announced that it will require all users to enable one or more forms of two-factor authentication (2FA) by the end of 2023, including more than 7.2 million developers in India.
Nearly 83 million developers who contribute code on GitHub.com will need to enroll in 2FA by the end of 2023. as part of the company’s platform-wide effort to secure the software ecosystem.
“GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimise for this,” said Mike Hanley, Chief Security Officer, GitHub.
Developers everywhere can expect more options for authentication and account recovery, along with improvements that help prevent and recover from account compromise, said the company.
Compromised accounts can be used to steal private code or push malicious changes to that code, placing not only the individuals and organisations associated with the compromised accounts at risk, but also any users of the affected code.
“The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial,” said Hanley.
“2FA is a powerful next line of defence; however, despite demonstrated success, 2FA adoption across the software ecosystem remains low overall,” said the company.
To date, only approximately 16.5 per cent of active GitHub users and 6.44 per cent of npm users use one or more forms of 2FA.
“On May 31, we will be enrolling all maintainers of the top-500 packages in mandatory 2FA. Our final cohort will be maintainers of all high-impact packages, those with more than 500 dependents or 1 million weekly downloads, whom we plan to enroll in the third-quarter of this year,” informed the company.