GitHub to require 2FA for all contributors starting from March 13

GitHub is set to require two-factor authentication (2FA) for all developers who contribute code to any project on the platform, a move designed to bolster the software supply chain.

The Microsoft-owned code-hosting platform announced last May that it intended to make 2FA mandatory by the end of 2023, though it had started the process earlier that year for the top 100 packages, followed in November by other "high-impact" packages. These were defined as packages with more than 1 million weekly downloads, or more than 500 dependents (projects that use the package in question).

Now, GitHub has confirmed that a platform-wide enforcement will begin on March 13, 2023 (four days from now), a process that will roll out incrementally to different groups of developers and project administrators throughout the rest of the year.

Supply chain

With some 100 million developer users, GitHub is a pivotal part of the global software supply chain. And while concerns around software supply chain security have abounded for a while, a spate of high-profile attacks in recent years have thrust the issue to the top of political agendas globally. This includes the breach at U.S. software company SolarWinds in 2020 which impacted a slew of government and corporate entities that used the software, as well as the critical Log4Shell security flaw that emerged in a popular open source logging tool called Log4j.


Such prominent security incidents spurred the Biden administration into action back in 2021 when it issued an executive order designed to secure the country's cyber defenses. And last week, the government published a new cybersecurity strategy that included calls for Big Tech to shoulder more of the responsibility for ensuring that their systems are robust, something that mandatory 2FA will go some way toward aiding.

Open source software in particular has been a major focal point of the administration's cybersecurity efforts over the past couple of years, due in large part to its pervasiveness. Indeed, the vast majority of software contains at least some open source components, and many of those components are the handiwork of one or two developers who work on it in their spare time with little in the way of financial support.

And it's against that backdrop that GitHub has been pushing the 2FA agenda over the past year, as it looks to reduce the chances of key open source projects being compromised by bad actors through social engineering or similar account takeover attempts.

Staggered rollout