GitHub SDK will require more accounts to enable 2FA Starting March 13th. This mandate will extend to all developers who contribute code to GitHub.com by the end of 2023.
GitHub has announced its plan to roll out a 2FA requirement in a blog post last May. At the time, the company’s chief security officer said it was making the move because GitHub (used by millions of software developers around the world across a myriad of industries) is a vital part of the software supply chain. Said supply chain has been subjected to several attacks in recent years and months, and the term 2FA is a powerful defense against social engineering and other particularly popular attack methods.
When this blog post was written, GitHub revealed that only about 16.5 percent of active GitHub users used 2FA — far less than you’d expect from techies who should know the value of it.
In December, GitHub put out a details From the plan that goes into effect for more people in a few days. The company will define certain subgroups of users that are required to jump on the bandwagon first, such as organization and organization members, users who have contributed code to critical repositories, and so on.
These users receive periodic in-product and email alerts 45 days before the requirements become effective. Starting with their first login after the 2FA deadline, they’ll get daily reminders to enable 2FA. If they don’t do this seven days after that, they won’t be able to access most GitHub features until they do. Twenty-eight days after this, GitHub will initiate a “2FA check” to ensure that it is working properly and that the user can still access their account.
GitHub says that over the course of 2023, more and more accounts will be entered into the process, with all contributing developer accounts to be included by the end of the year.
This is not a 2FA introduction to GitHub accounts. Users have long been able to sign up for 2FA for their individual accounts, and corporate organizations have been able to require two-factor authentication from all members for a while.
GitHub has been gradually rolling out the requirement to certain types of users over the past several months as well. For example, it announced in December that “admins of packages with more than 1 million weekly downloads or more than 500 followers” must enable two-factor authentication (2FA). Prior to this, it required 2FA for contributors to JavaScript libraries distributed via NPM.
If you’re a GitHub user, you’ll have to keep an eye out for an email or in-app notification letting you know when your ticket expires.
