Raising the bar for software security: next steps for GitHub.com 2FA

GitHub is enhancing its security measures by requiring developers to enable two-factor authentication (2FA), particularly targeting maintainers of high-traffic packages and contributors to critical repositories, with a gradual rollout throughout 2023. This initiative aims to mitigate account theft and bolster the security of the software development ecosystem. Starting in March 2023, GitHub will notify users in distinct groups about the requirement to enable 2FA, providing a 45-day notice period before enforcement. Users will receive reminders and have the option to delay enabling 2FA by one week after the deadline, ensuring minimal disruption. GitHub will monitor the rollout's effectiveness by evaluating user success rates, account lockout incidents, and support needs, adjusting the approach as necessary. The company is also working to improve 2FA onboarding, account recovery, and plans to introduce passkey support for stronger authentication.