In an effort to further protect developer accounts and code hosted on their platform, GitHub announced that its users will need to register for two-factor authentication (2FA) by the end of next year.
In particular, anyone who contributes to a Microsoft-owned platform will need to include one or more 2FA forms.
According to the new blog post from GitHub CEO Mike Hanley, the software supply chain starts with developers, and developer accounts often become the target of social engineering and account capture. By protecting developers from these types of attacks, the company is taking the first and most important step towards protection software supply chain.
In the future, GitHub plans to explore new ways to securely authenticate its users, including password-free authentication. In fact only last year the company added usability security keys for authentication as part of efforts to move forward without passwords.
Provide software supply chain
Back in November last year, GitHub made new investments in the security of the npm account Absorption of npm packets which were the result of hacked developer accounts without 2FA enabled.
Although zero-day vulnerabilities are attracting a lot of attention online, cheaper attacks such as social engineeringcredential theft or data leakage is actually responsible for most security breaches.
Hacked GitHub accounts can be used to steal private code or even to make malicious changes to that code. Unfortunately, not only individuals and their organizations associated with these hacked accounts are at risk, but also any users of the affected code.
The best protection against hacked user accounts is beyond simple password-based authentication. However, only 16.5% of all active GitHub users today and 6.44% of npm users use one or more 2FA forms.
GitHub users have plenty of time to prepare for this change, and the company recently launched 2FA for GitHub mobile on iOS and Android. Those who want to learn how to set up GitHub Mobile 2FA can check out this support document to begin.