GitHub’s 2FA rollout seeks to enhance the security of developer accounts and protect the software supply chain. Credit: Fatos Bytyqi GitHub has begun its official rollout of two-factor authentication (2FA) for developers who contribute code to the platform to enhance the security of accounts and the software supply chain. GitHub first announced its intention to mandate 2FA for all code contributors in May 2022, and will begin the first group’s enrolment on Monday, March 13. GitHub is allowing users to choose their preferred 2FA method – SMS, TOTP, security keys, or GitHub mobile. The rollout comes a week after the White House released an ambitious National Cybersecurity Strategy that puts responsibility on software vendors to secure the software ecosystem.GitHub developers, administrators have 45 days to configure 2FA on accountsGitHub will be reaching out to groups of developers and administrators over the course of the year start their 2FA enrollment, with the first being contacted next week. Developers and administrators will then have 45 days to configure 2FA on their accounts. To ensure a smooth 2FA experience, GitHub is offering contributors authentication options, the development platform said. These include:Choice of preferred 2FA method: Users can choose among TOTP, SMS, security keys, or GitHub Mobile as their preferred 2FA method.Second-factor validation after 2FA setup: This helps avoid account lockout due to misconfigured authenticator applications (TOTP apps).Enrolment of second factors: Developers and administrators can register both an authenticator app (TOTP) and an SMS number to their account at the same time, which helps reduce account lock out by providing another accessible 2FA option.Email unlinking in case of 2FA lockout: Developers and administrators can unlink their email address from a two-factor enabled GitHub account in case they’re unable to sign in or recover it.Protecting developers key to securing software supply chainIn a blog published last May, GitHub CSO Mike Hanley stated that developer accounts are frequent targets for social engineering and account takeover, and so protecting developers from attacks is the first and most critical step toward securing the software supply chain. All users who contribute code on GitHub will be required to enable one or more forms of 2FA by the end of 2023, he added. The goal is to move beyond basic password-based authentication to provide 2FA-enhanced defense. “Most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to,” Hanley wrote. “Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.” CybelAngel senior analyst David Sygula told CSO in May that while GitHub’s plans to implement 2FA across its platform will significantly reduce the chances of account takeover, it doesn’t mean GitHub users will stop sharing secrets in their repository. “One of the issues is that repositories are made public; there is no need to log in, so multi-factor authentication won’t help with that. It’s a good practice, but it will be of little help in securing the supply chain.” Related content news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security news analysis Biden delivers updated take on security for critical infrastructure Building on previous efforts, the Biden administration's new National Security Memorandum reflects a more modern approach to protecting US critical infrastructure, giving CISA a better-defined and expanded role as the agency coordinating everyth By Cynthia Brumfield May 02, 2024 7 mins Government Threat and Vulnerability Management Critical Infrastructure news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe