GitHub to Require 2FA by the End of 2023

Posted on May 4, 2022 by Paul Thurrott in Dev with 5 Comments

Microsoft announced today that GitHub will require all contributors to enroll in two-factor authentication (2FA) by the end of 2023.

“Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Microsoft’s Mike Hanley explains. “Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on to enable one or more forms of two-factor authentication (2FA) by the end of 2023.”

According to Microsoft, there are over 83 million developers contributing code to GitHub, and over 10 million of them came on board in the last six months alone. But because compromised accounts can lead to the theft of private code, protecting those accounts is not just important, it’s obvious.

Microsoft had previously deprecated basic authentication for git operations and its API, and it now requires email-based device verification in addition to a username and password. But 2FA is what Hanley calls “a powerful next line of defense.” The problem? Only 16.5 percent of active GitHub users are using one or more forms of 2FA.

If you want to get started today, and should, GitHub recently launched 2FA for GitHub Mobile on iOS and Android. You can learn more here.

Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (5)

5 responses to “GitHub to Require 2FA by the End of 2023”

  1. red.radar

    While I get the importance and understand the issue…. MFA technologies are rather inconvenient.

    I hate having to keep my phone by my side every time I use a desktop computer.

    • fishnet37222

      My phone is always by my side, whether or not I'm sitting in front of my PC.

    • IanYates82

      Use a password manager that also knows how to calculate the TOTP rolling code values.

      Or use phone-to-pc software like pushbullet or Your Phone (whatever it's called now) to get sms on your PC

    • wright_is

      I use a physical token wherever I can (Yubikey).

  2. dftf

    Given the increasing number of compromised personal and business accounts every-week thesedays, it's way-overdue to force 2FA/MFA now. Even if it's only via SMS, it's still better-than no 2FA... and that option means people with non-smartphone devices, such as a "feature-phone" or landline can still receive them (the SMS will be read-aloud by an AI voice in the case of the latter).

    Every site I use online (well, except this one!) all support 2FA, and I use it wherever I can.