Tuesday October 04, 2022

All code contributors will be required to use two-factor authentication by GitHub

GitHub, the code-hosting platform used by tens to millions of software developers worldwide, announced today that all users uploading code to the site must enable at least one form of two-factor authentication (2FA), by the end 2023. This was in a blog post written by Mike Hanley, GitHub’s chief security officer (CSO). Hanley highlighted the Microsoft-owned platform’s role in protecting the integrity and development process from threats such as hackers taking over developer accounts.
Hanley wrote that the software supply chain begins with the developer. Protecting developers against these types of attacks is the first step to securing the supply chain.
GitHub’s internal research has shown that multi-factor authentication offers significant additional protection for online accounts. However, only 16.5 percent of active users (roughly a sixth) enable the enhanced security features on their accounts. This is a surprising figure considering that the platform’s user base should be well aware of the dangers of password-only protection.
Hanley explained to The Verge that GitHub aims to increase the security of the entire software development community by directing users towards a higher level of account protection.
Hanley stated that GitHub is in a unique situation because of the large number of open source and creator communities on GitHub.com. “We can have a significant positive effect on the security of our ecosystem by raising security hygiene standards,” Hanley said. “We believe it’s one of the most important ecosystem-wide benefits we can provide. We’re committed to working through any obstacles and challenges to ensure that there’s successful adoption.”
GitHub has established a precedent for mandatory 2FA use with a smaller group of platform users. They have tested it with contributors of popular JavaScript libraries distributed via the package management software NPM. They are a popular target for malware gangs, as they can be downloaded millions upon millions of times per day. Hackers have used NPM contributor accounts to publish software updates that included password-stealing and crypto miners.
GitHub responded by making two-factor authentication mandatory for maintainers of the 100 most used NPM packages starting February 2022. The company intends to extend the same requirements for contributors to the top 500 packages before the end of May.
Hanley stated that the platform will use the insights from the smaller trial to speed up the rollout of 2FA. He said that NPM has already provided the opportunity to do this. “I believe we have a great advantage.” “We have learned a lot through that experience, in terms feedback we’ve received from developers and creator community that we’ve spoken to, and we had an active dialog about what good [practice] looks and looks like with them.”
Hanley explained that this would mean setting aside a long time to make 2FA mandatory on all sites and creating a variety of onboarding flows to encourage adoption well before 2024.
The software industry still has a pressing concern about securing open-source software, especially after last year’s log4j vulnerabilities. While GitHub’s new policy may mitigate against some threats however, there are still systemic challenges. Many open-source software projects are still maintained unpaid by volunteers. Closing the funding gap is a major problem in the tech industry.

Leave a Reply

Your email address will not be published.

Back to Top
%d bloggers like this: