Raising the bar for software security: GitHub 2FA begins March 13

GitHub has announced a mandatory implementation of two-factor authentication (2FA) for all developers contributing code on its platform by the end of 2023, as part of a broader effort to enhance software supply chain security. This initiative aims to protect developers' accounts, which are frequent targets for social engineering and account takeover (ATO) attacks, thus ensuring the security of the open source ecosystem. The rollout of 2FA will begin with smaller groups starting on March 13, gradually expanding throughout the year to allow for adjustments and successful onboarding. Developers will receive notifications via email and banners on GitHub.com about their enrollment requirements, with a 45-day period to configure 2FA. GitHub has enhanced the 2FA setup experience, offering multiple methods such as authenticator apps, SMS, and security keys, with recommendations to use more secure options like TOTP and WebAuthn-compliant methods. A 28-day post-setup validation ensures 2FA configurations are correct, and users can perform a reset if necessary. GitHub underscores the importance of community involvement in this security effort to safeguard open source software, urging developers to proactively enroll in 2FA and highlighting its role in protecting the software supply chain.