GitHub will require all users who contribute code to the platform to use 2FA as part of its latest security enhancements.
Attacks on the software supply chain are on the rise. GitHub, which has over 83 million code contributing users, is taking the lead in protecting developers and the software supply chain with this major policy change announcement.
“At GitHub, we believe that our unique position as a home for all developers gives us both the opportunity and the responsibility to raise the bar for security across the entire software development ecosystem,” wrote Mike Hanley, director of security at GitHub, in a blog post. Publish.
“While we invest deeply in our platform and across the industry to improve overall software supply chain security, the value of that investment is fundamentally limited if we do not address the ongoing risk of account.”
GitHub pledged to invest in the security of npm accounts after the compromise of accounts without 2FA enabled led to package takeovers.
“Compromised accounts can be used to steal private code or make malicious changes to that code. This exposes not only the individuals and organizations associated with the compromised accounts, but also all users of the affected code,” says Hanley.
“The potential for downstream impact on the software ecosystem and the wider supply chain is therefore considerable.”
Today, only about 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA.
Previous efforts undertaken by GitHub to protect developers include finding and invalidating passwords of known compromised users, providing robust support for WebAuthn security keys, and enrolling all npm editors in enhanced login verification .
Following the policy change announced today, GitHub will require all developer accounts to enable one or more forms of 2FA by the end of 2023.
While it’s great to see GitHub acknowledging the risks of compromised accounts, delaying policy implementation until the end of next year is bound to raise eyebrows given the current heightened risks.
We reached out to GitHub to find out why the company opted for such a long transition period.
(Photo by FLY:D on Unsplash)
Want to learn more about cybersecurity and the cloud from industry leaders? Discover Cyber Security & Cloud Expo taking place in Amsterdam, California and London.
Check out other upcoming TechForge enterprise technology events and webinars here.