GitHub to Require 2FA by the End of 2023

Microsoft announced today that GitHub will require all contributors to enroll in two-factor authentication (2FA) by the end of 2023.

“Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Microsoft’s Mike Hanley explains. “Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.”

According to Microsoft, there are over 83 million developers contributing code to GitHub, and over 10 million of them came on board in the last six months alone. But because compromised accounts can lead to the theft of private code, protecting those accounts is not just important, it’s obvious.

Microsoft had previously deprecated basic authentication for git operations and its API, and it now requires email-based device verification in addition to a username and password. But 2FA is what Hanley calls “a powerful next line of defense.” The problem? Only 16.5 percent of active GitHub users are using one or more forms of 2FA.

If you want to get started today, and should, GitHub recently launched 2FA for GitHub Mobile on iOS and Android. You can learn more here.