Beginning on March 13, GitHub wil start requiring some form of multifactor authentication for every individual who contributes code on the platform. The change, which has been a year in the making, will happen gradually and start with small groups of developers, but ultimately will include all of the more than 100 million developers who contribute to projects by the end of 2023.
The requirement, announced last May, is part of an effort to prevent account takeovers and by extension protect the integrity of the open source software supply chain. By its nature as the largest software collaboration platform, GitHub is a prime target for attackers looking to take over maintainers' or developers’ accounts. Account takeovers have been an issue for many large platform providers for several years, and inserting malicious code into popular open source projects has become a favorite tactic for attackers. Rather than address the issue piecemeal, GitHub officials decided to move the security of every developer on the platform forward.
“It’s a long-running problem but we also know two-factor adoption is remarkably low, and for us we don’t want to wait any longer. It’s a worthwhile investment from an engineering and documentation standpoint for people to understand why this is important and why it matters. We still see account takeovers by way of social engineering,” said Mike Hanley, GitHub CSO and senior vice president of engineering.
“I don’t think we can make progress fast enough on this as a community.”
The gradual rollout of the 2FA mandate will start will small cohorts on March 13. The developers involved in those groups will get email notifications and see a banner on the site informing them that they have 45 days to enroll in some method of 2FA. GitHub is not mandating a specific form of 2FA, but is strongly recommending that developers use hardware security keys if at all possible, but 2FA apps and SMS also are options.
“There are different levels of security and recommended best practices We want people to adopt the best available form factor and strength that are available to them,” Hanley said.
“We are hoping that others will follow us on this and we felt like it was our responsibility to do this."
“SMS is still pretty prevalent around the world and will be for quite some time. It’s important for us to be available to those developers and give them the best avail security measure. It’s a tradeoff because we all know SMS is fraught, but at the moment we feel like it’s best to make it available for now. There’s an econ barrier to security keys and we don’t want to exclude anyone.”
GitHub has some experience to lean on in this process, having already gone through it with the npm package-management platform that the company bought a few years ago. Takeovers of npm accounts without 2FA enabled were a common issue, so GitHub began rolling out mandatory 2FA use for npm package maintainers in December 2021. That process went smoother than expected, Hanley said, and gave the company the confidence to make the same change on GitHub.
“Publisher and maintainer accounts were very valuable targets for malicious actors because they can pull that package and insert malware. The reaction on npm was to push ahead with 2FA. We anticipated more challenges and were surprised by how few issues came up. There’s never a good time to be interrupted and enroll in this,” Hanley said.
“We learned a lot from what it would take to do that as we’re working our way through the cohorts, but GitHub is different in terms of size and scale.”
GitHub is not alone in pushing its community toward 2FA adoption. Last year, PyPi, the Python project index, began requiring 2FA for the maintainers of critical projects, and RubyGems also requires 2FA for popular projects.
“We are hoping that others will follow us on this and we felt like it was our responsibility to do this,” Hanley said.