GitHub rolls out mandatory 2FA for loads of devs next week
Engineers who contribute to public projects told to enroll
Microsoft's GitHub code hosting biz plans to begin requiring developers who contribute to public projects secure their accounts using two-factor authentication (2FA) by Monday, March 13.
The heightened security posture has been in the works since last year when the company announced it would make 2FA obligatory by the end of 2023, following a prior, more targeted 2FA mandate.
"GitHub is central to the software supply chain, and securing the software supply chain starts with the developer," explained Laura Paine, product marketing director for GitHub Security Lab, and Hirsch Singhal, staff product manager, in a blog post. "Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security.
The reason for the bother is that compromising the account of a software developer has the potential to provide the attacker with access to all the devices running the developer's code – possibly a huge attack surface expansion given the widespread code sharing GitHub enables.
The detection of major supply chain attacks, such as the 2021 compromise of SolarWinds' Orion monitoring tool by Russian agents, has amplified calls for better software security and led software development firms like GitHub to make more demands on their users.
Other packaging ecosystems have put similar rules in place. RubyGems, for example, last August began requiring multi-factor authentication for owners of gems (packages) with more than 180 million downloads. And the Python Package Index announced the introduction of two-factor authentication (2FA) in 2019, then made it mandatory for any project in the top 1 percent of downloads last year.
GitHub has been gradually lowering the bar for mandatory 2FA. In February 2022, the company began requiring 2FA for the maintainers of top 100 npm packages. In November 2022, it revised its requirement to cover all maintainers of popular packages with more than a million weekly downloads or packages with more than 500 dependents.
- GitHub to require two-factor authentication for code contributors by late 2023
- RubyGems now requires multi-factor auth for top package maintainers
- Crooks copy source code from Okta's GitHub repository
- Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point
The new policy, say Paine and Singhal, will be rolled out gradually, with groups of developers who contribute code getting the nod on an ongoing basis. Accounts drafted to defend the community can expect to be notified by email. Thereafter, draftees will have 45 days to set up 2FA, during which time reminders can be expected.
A company spokesperson declined to provide specific criteria for inclusion in the program so as not to invite debate about the matter.
"While GitHub won't be providing specifics regarding how users qualify for these groups or which group a specific user will fall into, these groups are built from the following criteria with an emphasis on impact to security of the broader ecosystem," a spokesperson said.
In general, designated developers include:
- Users who published GitHub or OAuth apps or Actions or packages
- Users who created a release
- Users who are Enterprise and Organization administrators
- Users who contributed code to repositories deemed critical by npm, OpenSSF, PyPI, or RubyGems
- Users who contributed code to the approximate top four million public and private repositories
After that deadline has passed, account holders will be required to enable 2FA to access GitHub. Users, once they initially try to log in post-deadline, will have the ability to postpone activation for up to a week but after that account access will be limited for the non-compliant. And 28 days after implementing 2FA, enrolled developers will be asked to validate their 2FA setup as an additional check.
GitHub has expanded the 2FA options available and made an effort to ensure there are workable account recovery options, such as the ability to disconnect email accounts from 2FA-locked GitHub accounts. Developers can use TOTP, SMS, security keys, or GitHub Mobile as their preferred 2FA method, and can have a second method as well. SMS is supported but discouraged – as Paine and Singhal point out, it's no longer recommended under NIST 800-63B.
"Open source software is ubiquitous, with 90 percent of companies reporting that they use open source in their proprietary software," said Paine and Singhal. "GitHub is a critical part of the open source ecosystem, which is why we take ensuring account security seriously." ®