By the end of 2023, GitHub will require all users who contribute code on the platform to enable one or more forms of two factor authentication (2fa). Today, the Microsoft company said that only 16.5% of GitHub active users and 6.44% of NPM users use 2fa. It's not much, but frankly, it's less than expected.
"A compromised account can be used to steal or maliciously modify unpublished private code. This puts at risk not only individuals and organizations associated with the compromised account, but also any users of the affected code." Mike Hanley, GitHub's chief security officer, wrote in today's announcement: "therefore, there is a great possibility of downstream impact on the wider software ecosystem and supply chain."
He also pointed out that the company is trying to ensure that the additional security layer does not sacrifice the user experience. Therefore, it will take a long time from today's announcement to when to implement this. "Our goal at the end of 2023 gives us the opportunity to optimize for this," Hanley explained. Switching to 2fa involves a series of changes in the user experience on the command line and GitHub web interface.
It is worth noting that earlier this year, GitHub also provided mandatory 2fa verification for the top 100 NPM package maintainers to prevent software supply chain attacks. It plans to expand to the top 500 software package maintainers this month, and then to all software packages with more than 500 dependencies or more than 1 million downloads per week.