GitHub has announced it will soon be rolling out the mandatory use of two-factor authentication (2FA) on developer’s accounts.
The software development platform will initially be emailing small groups of administrators and developers, notifying them of the change to their accounts, before its entire 100 million strong user base will eventually be enrolled on 2FA by the end of the year.
“GitHub has designed a rollout process intended to both minimize unexpected interruptions and productivity loss for users and prevent account lockouts,” said Staff Product Manager Hirsch Singhal and Product Marketing Director Laura Paine in a joint blog post (opens in new tab) on the company’s site.
“Groups of users will be asked to enable 2FA over time, each group selected based on the actions they’ve taken or the code they’ve contributed to.”
Once a user receives the 2FA email, they will have 45 days to set it up on their account.
If users still haven’t activated it after this point, they will be blocked from the full functionality of their account until 2FA has been configured by them. To prevent any surprises, though, GitHub will keep users updated on how long they have left.
GitHub previously announced in May and December 2022 that 2FA would be coming soon, and to further prepare its users, it has also published a guide on configuring 2FA (opens in new tab) and how to recover (opens in new tab) your account should you lose your 2FA device.
2FA is a type of multi-factor authentication, an extra layer of security to make sure it is actually you who is accessing your account with your username and password. A code is sent to another one of your devices, typically your smartphone, which you input after entering your login details to authenticate your identity.
For most services that use 2FA, the code can be delivered via SMS or an authenticator app. In addition to these, GitHub will also support 2FA via physical security keys and its own GitHub iOS and Android mobile apps.
GitHub however isn’t recommending that users opt for SMS 2FA, as this is less secure than other forms, as messages can be intercepted and the authentication tokens generated can be stolen.
The move to enforce 2FA follows GitHub’s recent efforts to make its service more secure. Authenticating Git operations via a user’s account password was revoked (opens in new tab) in 2019, instead requiring the use of authentication tokens such as SSH keys, which could then be further secured by security keys from 2021 (opens in new tab).