GitHub to Require 2FA by the End of 2023

Microsoft announced today that GitHub will require all contributors to enroll in two-factor authentication (2FA) by the end of 2023.

“Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Microsoft’s Mike Hanley explains. “Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

According to Microsoft, there are over 83 million developers contributing code to GitHub, and over 10 million of them came on board in the last six months alone. But because compromised accounts can lead to the theft of private code, protecting those accounts is not just important, it’s obvious.

Microsoft had previously deprecated basic authentication for git operations and its API, and it now requires email-based device verification in addition to a username and password. But 2FA is what Hanley calls “a powerful next line of defense.” The problem? Only 16.5 percent of active GitHub users are using one or more forms of 2FA.

If you want to get started today, and should, GitHub recently launched 2FA for GitHub Mobile on iOS and Android. You can learn more here.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 5 comments

  • red.radar

    Premium Member
    04 May, 2022 - 2:54 pm

    <p>While I get the importance and understand the issue…. MFA technologies are rather inconvenient. </p><p><br></p><p>I hate having to keep my phone by my side every time I use a desktop computer. </p><p><br></p><p><br></p><p><br></p>

    • fishnet37222

      Premium Member
      04 May, 2022 - 3:00 pm

      <p>My phone is always by my side, whether or not I’m sitting in front of my PC.</p>

    • IanYates82

      Premium Member
      04 May, 2022 - 5:39 pm

      <p>Use a password manager that also knows how to calculate the TOTP rolling code values. </p><p>Or use phone-to-pc software like pushbullet or Your Phone (whatever it’s called now) to get sms on your PC </p>

    • wright_is

      Premium Member
      05 May, 2022 - 6:13 am

      <p>I use a physical token wherever I can (Yubikey).</p>

  • dftf

    04 May, 2022 - 4:19 pm

    <p>Given the increasing number of compromised personal and business accounts every-week thesedays, it’s way-overdue to force 2FA/MFA now. Even if it’s only via SMS, it’s still better-than no 2FA… and that option means people with non-smartphone devices, such as a "feature-phone" or landline can still receive them (the SMS will be read-aloud by an AI voice in the case of the latter).</p><p><br></p><p>Every site I use online (well, except <em>this one!</em>) all support 2FA, and I use it wherever I can.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC