GitHub is finally getting around to enforcing two-factor authentication (2FA) on all projects listing code on their site in a bid to curve account compromise and man-in-the-middle attacks.
GitHub, one of the world's largest software repositories, is a constant target of attackers seeking to take advantage of the library's vast reach. Accounts are protected like any other online resource -- with passwords. But, since people run the projects, issues with passwords can allow criminals to take over accounts. And that's not even counting potential data breaches that follow other paths to the same outcome.
Not having a unique password for the account or just using a very simple one could leave a project vulnerable. And since many GitHub projects are used by other developers and companies worldwide, a compromised project account could allow an attacker to inject malicious code. Enforcing 2FA is finally set to become mandatory after only a smaller subset of projects were implicated at the start of the program.
"Over the course of the next year, we'll be reaching out to groups of developers and administrators, starting with smaller groups on March 13, to notify them of their 2FA enrollment requirement," the company said on its website.
"You'll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders. We'll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com," the company added.
Since so many projects are hosted on GitHub, enforcing it for everyone at the same time is impossible. It will take the better part of the year to finish the entire rollout.