To stop hackers from tampering with the software supply chain, GitHub will force users to adopt two-factor authentication (2FA) starting on March 13.
The requirement will first roll out to small groups of users before GitHub scales the requirement to more people as the year goes on. The goal is to make the 2FA requirement mandatory for all users before the end of 2023.
“If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll,” the company wrote in a blog post on Thursday. “You’ll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders.”
GitHub originally announced the 2FA requirement last year, citing the threat of hackers hitting the software supply chain. Microsoft-owned GitHub is best known as a code repository platform, where developers can post and contribute to open-source software projects, and integrate them into their own products.
GitHub has since attracted over 100 million developers across the globe. But the platform is a ripe target for abuse. For instance, a hacker could tamper with a popular coding project on GitHub and cause it to secretly load malware onto a computer. Software developers could then inadvertently cause the malicious code to spread by incorporating it into their own products.
In addition, a hacker could break into a GitHub developer’s account to steal code on proprietary software. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Mike Hanley, chief security officer for GitHub, wrote in May.
2FA (aka multi-factor authentication) can stymie hackers since it forces anyone signing into an account to supply both the correct password and a one-time passcode generated on the original account holder’s phone. This can make it harder, but not impossible, for an attacker to break in.
GitHub users looking to activate the 2FA before March 13 can go to their account settings. The platform offers 2FA through an authenticator app, a security key, and via SMS, although GitHub strongly recommends users drop the SMS option. Over the years, hackers have shown they can steal the one-time passcode generated over SMS by performing SIM swapping attacks on the victim’s phone number. Doing so can allow a hacker to intercept phone calls and SMS messages sent to the device.
Still, GitHub decided to keep the SMS-based 2FA as an option for users worried about being locked out of their accounts. The platform added: “You can now have both an authenticator app (TOTP) and an SMS number registered on your account at the same time. While we recommend using security keys and your TOTP app over SMS, allowing both at the same time helps reduce account lock out by providing another accessible, understandable 2FA option that developers can enable.”