In February this year, GitHub announced that Top-100 NPM package maintainers required to enable 2fa (two factor identity authentication); In May this year, GitHub required all users who contributed code to enable 2fa before the end of 2023; Now, github further extends this requirement to top-500 NPM package maintainers
In GitHub's official blog post, it was written that "according to the popularity of dependent use, the maintainers of top-500 packages on the NPM library are now forced to start two factor authentication". At the beginning of this month, GitHub said that only 16.5% of GitHub active users and 6.44% of NPM users use 2fa. Frankly speaking, the proportion of such users is low.
Mike Hanley, chief security officer of GitHub, said: "the compromised account can be used to steal unpublished private code or make malicious modifications to the code. This not only puts the individuals and organizations related to the compromised account at risk, but also any users of the affected code at risk. Therefore, it is very likely to have a downstream impact on the broader software ecosystem and supply chain.".
GitHub launched enhanced login authentication for the first time between December 7, 2021 and January 4, 2022. GitHub aims to enable all NPM publishers to add enhanced login verification. After expanding to top-500 NPM package maintainers, GitHub's next step is to expand to all software packages that rely on more than 500 or download more than 1million software packages per week.
According to the investigation results of this initial stage, GitHub plans to register enhanced login authentication for all NPM accounts on march1,2022. We will run two limit dates before the release on February 16 and February 23. We will temporarily select all accounts within 24 hours to ensure that there will be no accidents when we permanently launch this feature for all customers. To learn more about enhanced login authentication, you can access our documentation.