Following through on a pledge made last year, GitHub on March 13 will begin phasing in two-factor authentication (2FA) requirements for developers contributing code to the popular code sharing site. All developers will be required to comply by the end of the year.
Smaller groups will be required to enroll in 2FA as of next week, with GitHub selecting accounts for enrollment, the company said on March 9. One or more forms of 2FA will be required, affecting millions of developers. Those chosen will be notified via email and will see a banner on GitHub.com asking them to enroll. Users will have 45 days to configure 2FA on their accounts. Notifications can be “snoozed,” or paused, for as long as a week. The gradual rollout is intended to help GitHub ensure users are on board, with adjustments made as needed, before the process is scaled to larger groups as the year progresses.
By requiring the use of 2FA, GitHub is attempting to secure software development by improving account security. Developers’ accounts are frequently targeted for social engineering and account takeover, GitHub said.
Users can choose between 2FA methods such as TOTP (Time-based One-Time Password), SMS (Short Message Service), security keys, or GitHub Mobile as a preferred 2FA method. GitHub advises using security keys and TOTPs wherever possible; SMS does not provide the same level of protection and is no longer recommended under NIST 800-63B, the company said.
GitHub noted that users can have both an authenticator app (TOTP) and an SMS number. Users will see a prompt after 28 days asking them to perform 2FA and to confirm their second factor settings. The prompt will help avoid account lockout due to misconfigured authenticator applications. Users can unlink their email address from two-factor-enabled GitHub account in case they are unable to sign in or recover it.
Also, passkeys, a replacement for passwords, are being tested internally. GitHub believes this technology will combine ease of use with strong, phishing-resistant authentication.