Popular Topics

Topics

About

Policies

Our Network

More

Paul Krill
by
Editor at Large

GitHub begins 2FA rollout

news
Mar 9, 20232 mins

GitHub will begin selecting accounts for enrollment in two-factor authentication next week. All users will be required to use 2FA by year-end.

Person holding phone near a laptop while getting two-factor authentication info
Credit: Shutterstock / Yurchanka Siarhei

Following through on a pledge made last year, GitHub on March 13 will begin phasing in two-factor authentication (2FA) requirements for developers contributing code to the popular code sharing site. All developers will be required to comply by the end of the year.

Smaller groups will be required to enroll in 2FA as of next week, with GitHub selecting accounts for enrollment, the company said on March 9. One or more forms of 2FA will be required, affecting millions of developers. Those chosen will be notified via email and will see a banner on GitHub.com asking them to enroll. Users will have 45 days to configure 2FA on their accounts. Notifications can be “snoozed,” or paused, for as long as a week. The gradual rollout is intended to help GitHub ensure users are on board, with adjustments made as needed, before the process is scaled to larger groups as the year progresses.

By requiring the use of 2FA, GitHub is attempting to secure software development by improving account security. Developers’ accounts are frequently targeted for social engineering and account takeover, GitHub said.

Users can choose between 2FA methods such as TOTP (Time-based One-Time Password), SMS (Short Message Service), security keys, or GitHub Mobile as a preferred 2FA method. GitHub advises using security keys and TOTPs wherever possible; SMS does not provide the same level of protection and is no longer recommended under NIST 800-63B, the company said.

GitHub noted that users can have both an authenticator app (TOTP) and an SMS number. Users will see a prompt after 28 days asking them to perform 2FA and to confirm their second factor settings. The prompt will help avoid account lockout due to misconfigured authenticator applications. Users can unlink their email address from two-factor-enabled GitHub account in case they are unable to sign in or recover it.

Also, passkeys, a replacement for passwords, are being tested internally. GitHub believes this technology will combine ease of use with strong, phishing-resistant authentication.

Version Control SystemsSecuritySoftware Development
Paul Krill
by
Editor at Large

Paul Krill is editor at large at InfoWorld. Paul has been covering computer technology as a news and feature reporter for more than 35 years, including 30 years at InfoWorld. He has specialized in coverage of software development tools and technologies since the 1990s, and he continues to lead InfoWorld’s news coverage of software development platforms including Java and .NET and programming languages including JavaScript, TypeScript, PHP, Python, Ruby, Rust, and Go. Long trusted as a reporter who prioritizes accuracy, integrity, and the best interests of readers, Paul is sought out by technology companies and industry organizations who want to reach InfoWorld’s audience of software developers and other information technology professionals. Paul has won a “Best Technology News Coverage” award from IDG.

More from this author

Show me more

opinion

AI optimization: How we cut energy costs in social media recommendation systems

By Gautam Sikka
9 mins
Artificial IntelligenceSoftware DevelopmentTechnology Industry
Image
analysis

Cloud at 20: Cost, complexity, and control

By David Linthicum
6 mins
IaaSManaged Cloud ServicesMulticloud
Image
news

OpenAI buys non-AI coding startup to help its AI to program

By Paul Barker
6 mins
Artificial IntelligenceDevelopment ToolsOpen Source
Image
video

How to build desktop apps in Typescript with Electrobun

5 mins
Python
Image
video

Write and run assembly in Python with Copapy

5 mins
Python
Image
video

Run AI Models Locally on Your PC — No Cloud Required (LM Studio Guide)

5 mins
Python
Image