By Mike Hanley, Chief Security Officer, GitHub.
The software supply chain starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain. As part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
Why Account security and 2FA matter
In November 2021, GitHub committed to new investments in npm account security in the wake of npm package takeovers resulting from the compromise of developer accounts without 2FA enabled. We continue to introduce improvements to npm account security, and are equally committed to securing the accounts of developers using GitHub.
Most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to. Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.
The best defense against this is moving beyond basic password-based authentication. We have already taken steps in this direction by deprecating basic authentication for git operations and our API and requiring email based device verification, in addition to a username and password. 2FA is a powerful next line of defense; however, despite demonstrated success, 2FA adoption across the software ecosystem remains low overall. Today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA.
In February we enrolled all maintainers of the top-100 packages on the npm registry in mandatory 2FA, and in March we enrolled all npm accounts in enhanced login verification. On May 31, we will be enrolling all maintainers of the top-500 packages in mandatory 2FA. Our final cohort will be maintainers of all high-impact packages, those with more than 500 dependents or 1 million weekly downloads, whom we plan to enroll in the third-quarter of this year. We will leverage what we learn from requiring 2FA on npm and apply those lessons to our efforts on GitHub.com.