GitHub is making a major push toward two-factor authentication (2FA), requiring all users who contribute code to GitHub-hosted repositories to enable one or more forms of 2FA by the end of 2023. The move will impact 83 million developers, at last count.
In explaining its reasoning, GitHub said most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with access to victims’ accounts. Compromised accounts can be used to steal private code or push out malicious changes to code, thus affecting application users, too. The potential for downstream impact to the broader software ecosystem and supply chain is substantial. The best defense is moving beyond password-based authentication, the company said.