GitHub announced Wednesday a plan to roll out two-factor authentication to all contributors by the end of 2023. This will be a significant change for most GitHub users because, according to the company, only 16.5% of active GitHub users and 6.44% of npm users have enabled one or more forms of 2FA.
The company started the transition in February 2022 by enrolling all maintainers of the top-100 packages on the npm registry in mandatory 2FA. In March 2022 GitHub enrolled all npm accounts in enhanced login verification. At the end of May 2022, all developers who maintain the top-500 packages in this new security step.
GitHub plans to enroll maintainers of all high-impact packages which includes those with more than 500 dependents or 1 million weekly downloads.
Myles Borins, Product Manager at GitHub, said about 88% of top-100 maintainers have already enabled 2FA.
“The work we have done to improve npm’s account security has also provided a ton of useful perspective and allows us to consider new changes in technology and security standards as we approach our work for GitHub.com,” Borins said. “As an example, work to refresh npm’s account lockout recovery processes has provided useful lessons as we work to improve account recovery on GitHub.com.”
Borins said GitHub wants to see more customers adopt 2FA both in protecting their source code on GitHub and when publishing it to the npm public registry.
“By utilizing npm automation tokens and GitHub Actions, customers can fully automate the deployment process of their packages in a secure way while fully protecting their accounts with 2FA,” Borins said.
In a blog post about the news, Mike Hanley, chief security officer at GitHub, said the change was motivated by the npm package takeovers that resulted from compromised developer accounts that did not have 2FA enabled. A node package manager is an online repository for publishing open-source Node.js projects and a command-line utility for working with the repository for package installation, version management and dependency management.
The new 2FA requirement aims to reduce the risk of social engineering attacks, credential theft and other tactics used to gain access to developer accounts. GitHub sees this new requirement as a step in securing the software supply chain:
“Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.”
GitHub announced in January 2022 that developers could use GitHub Mobile on iOS and Android for two-factor authentication. The company also published a guide to securing the software supply chain that included these recommendations:
- Configure two-factor authentication for your personal account
- Connect to GitHub using SSH keys
- Centralize user authentication (enterprises)
- Configure two-factor authentication (organizations and enterprises)
- Create a vulnerability management program for dependencies
- Secure your communication tokens
- Keep vulnerable coding patterns out of your repository
- Sign your builds
- Harden security for GitHub Actions
Microsoft recommends implementing 2FA as a way to prevent 99.9% of account compromise attacks and Google also has started using the security tactic. In 2021, Google started to auto-enroll users in two-step verification. The company said that this protection is now in place for more than 150 million people and more than two million YouTube users. This change has resulted in a 50% decrease in accounts being compromised, according to the company.