Open Source Market Segment LS
Open Source Market Segment RS
Friday, 13 May 2022 00:19

Security starts with the developer - GitHub to mandate 2FA by end of 2023


The software supply chain starts with the developer, and with developer accounts being prized targets for account takeover, GitHub will require all users who contribute code to enable one or more forms of 2FA before the end of 2023.

Supply chain attacks can inject security vulnerabilities into tools and libraries and code, which can then be installed far and wide. GitHub recognises this, and its role in protecting its 83 million global developers - one million in Australia, and has announced mandatory two-factor authentication.

GitHub has a long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support, and enrolling all npm publishers in enhanced login verification.

GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and the target of the end of 2023 allows the company time to optimise for this. Developers everywhere can expect more options for secure authentication and account recovery, along with improvements that help prevent and recover from account compromise.

GitHub has already found, from its work in November 2021 to combat npm package takeovers, that 2FA has made a big difference, and the company is equally committed to securing the accounts of all GitHub developers.

The company finds most security breaches are not the result of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to.

It's a serious problem. Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organisations associated with the compromised accounts at risk but also any users of the affected code. The potential for downstream impact on the broader software ecosystem and supply chain, as a result, is substantial.

Hence, moving beyond basic password-based authentication is essential. Yet, while 2FA has been demonstrated to be successful, 2FA adoption across the software ecosystem is low. Only 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA.

GitHub has already enrolled all maintainers of the top 100 packages on the npm registry to mandatory 2FA, and in March enrolled all npm accounts in enhanced login verification.

On May 31 GitHub will be enrolling all maintainers of the top 500 packages in mandatory 2FA. The final cohort will be maintainers of all high-impact packages, those with more than 500 dependents or one million weekly downloads, whom GitHub plans to enrol in the third quarter of this year. It will leverage what it learned from requiring 2FA on npm and apply those lessons to these further efforts.

2FA for GitHub Mobile is already available on iOS and Android, though to configure it you will need to have at least one other form of 2FA enabled.

Meanwhile, organisation and enterprise GitHub users can also require 2FA for members of their organisations or enterprises. Be careful as this will remove any members and owners who do not use 2FA when the settings are enabled - thus you need to get your people enrolled in 2FA before turning on mandatory 2FA.

More information on securing your GitHub account with 2FA is available here.

Read 762 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News