GitHub to mandate 2FA for all code contributors by 2023

GitHub has announced its largest-ever push toward two-factor authentication (2FA). The world’s leading development platform said it will require all code-contributing users to enroll in 2FA by the end of 2023 to enhance the security of developer accounts and bolster security within the software supply chain. 

Given the number of developers and enterprises on the platform, GitHub’s move is significant with the risks surrounding software supply chains continuing to threaten and expose organisations more than a year after the infamous SolarWinds Sunburst attack.

2FA to be rolled out across GitHub by 2023

In a blog posting, GitHub CSO Mike Hanley stated that developer accounts are frequent targets for social engineering and account takeover, and so protecting developers from attacks is the first and most critical step toward securing the software supply chain. 

Therefore, all users who contribute code on GitHub.com will be required to enable one or more forms of 2FA by the end of 2023, allowing time for the firm to ensure that strong account security doesn’t come at the expense of usability, he added.

The goal is to move beyond basic password-based authentication to provide 2FA-enhanced defence. 

“Most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to,” Hanley wrote. 

“Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organisations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.”

GitHub has already enrolled all maintainers of the top-100 packages on the npm registry in mandatory 2FA and enhanced all npm accounts with login verification. 

On May 31, the firm will enroll all maintainers of the top-500 packages in mandatory 2FA, while its final cohort will be maintainers of all high-impact packages, those with more than 500 dependents or one million weekly downloads, whom it plans to enroll in the third quarter of this year. GitHub will then leverage what it has learned and apply 2FA across GitHub.com.

Speaking to CSO, David Sygula, senior analyst at CybelAngel, says that while GitHub’s plans to implement 2FA across its platform will significantly reduce the chances of account takeover, it doesn’t mean GitHub users will stop sharing secrets in their repository. 

“One of the issues is that repositories are made public; there is no need to log in, so multi-factor authentication won’t help with that. It’s a good practice, but it will be of little help in securing the supply chain.”

Software supply chain threats persist, attacks more than tripled in 2021

Software supply chain risks continue to impact organisations across the globe. In its 2021 Software Supply Chain Security Report, Argon estimated that software supply chain attacks more than tripled in 2021 compared to 2020, with more vulnerabilities and attacks discovered every month. 

Attackers focused on open-source vulnerabilities, dependency poisoning, code issues, insecure supply chain processes, or implicit trust in software suppliers to distribute malware or establish backdoors in the resources of application users, the report stated. It cited use of vulnerable packages, compromised pipeline tools and code and artifact integrity as the three main risks faced by businesses.

Argon also predicted that challenges in securing the software supply chain will remain high for organisations in 2022, with a lack of resources, gaps in supply chain security knowledge and expertise, and insufficient tools playing a significant part. 

“Collaboration with DevOps teams and automation of security within development workflows should play a major part in software supply chain security strategies,” the report concluded.