Last year, Microsoft made a significant change to GitHub’s authentication rules. The change required developers who build apps on the platform to enable two-factor authentication (2FA) by the end of 2023, as part of a platform-wide effort to secure the software ecosystem through improving account security.
GitHub announced that the 2FA requirement has already started rolling out to developers as of March 13, starting with smaller groups of both admins and developers.
The requirement will roll out to the rest of the developers gradually. The goal behind this is to ensure while elaborate measures are being put in place to ensure that the platform is secure and free from attacks, developers will still get work done in a timely manner with minimal disruptions.
According to GitHub:
Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security. Developers’ accounts are frequent targets for social engineering and account takeover (ATO). Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain.
GitHub indicated that if you are selected for enrollment, you’ll get a notification via email alongside a banner on GitHub.com prompting you to enroll. You’ll then have 45 days to comply and configure 2FA on your account.
Once this period lapses, developers will be required to enable 2FA when trying to access the website. However, they can still pause the prompt for up to one week. After that, their access to the platform will be limited.
Developers can select from security keys, SMS, Time-based One-Time Password (TOTP) to GitHub Mobile 2FA, and more as their preferred 2FA method to secure their accounts. However, the company has highlighted that SMS-based 2FA isn’t as secure as the rest and that it’s no longer recommended under NIST 800-63B.
GitHub also indicated that it is currently testing passkeys internally. It features a combination of “ease of use with strong, phishing-resistant authentication.”
Do you use GitHub to write code? Share your thoughts with us regarding this change in the comments.
via: The New Stack
