GitHub Urges Devs to Enable 2FA or Get Locked Out

GitHub is urging users to enable two-factor authentication on their accounts or risk losing access to key software development modules and features.

“This is a reminder that we announced that we are requiring users contributing code on GitHub.com to enable two-factor authentication (2FA),” the company said in an email sent out to developers on Christmas Eve.

Anyone submitting code to GitHub.com must have 2FA enabled by January 19th, 2024. GitHub development projects have been a hot target for malicious actors over the years, resulting in supply-chain attacks.

Mike Hanley, the Chief Security Officer and SVP of Engineering at GitHub, acknowledged this matter in a blog post earlier this year:

“Most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to,” Hanley wrote in May.

“Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.”

The company has already taken preemptive measures by deprecating basic authentication for git operations and API, while also requiring email based device verification, in addition to a username and password. Enforcing 2FA is the next line of defense against unauthorized access.

"On January 19th, 2024 at 00:00 (UTC) your account will be required to have 2FA for authentication,” the email notification continues. “If you have not yet enrolled by that date, your ability to access GitHub.com will be limited until you finish the enrollment process.”

If you’re a GitHub user, you can choose between TOTP, SMS, security keys, or GitHub Mobile as your preferred 2FA.

You’ll need at least two methods enabled (i.e. auth app + SMS), and it’s recommended that you save your recovery codes in case of account lockout. If you get locked out, you can only regain control of your account via your recovery codes.

You can configure 2FA using an authenticator app or SMS. Once you’ve enabled 2FA, you can then add security keys as an alternate 2FA method.

GitHub recommends the use of security keys and TOTPs wherever possible. SMS-based 2FA, while still better than nothing, does not provide the same level of protection, and it is no longer recommended under NIST 800-63B.

Remember to only use trusted authenticator apps with your online accounts as there are quite a few shady “solutions” lurking in the app stores.