GitHub begins 2FA rollout | InfoWorld

Following up on a promise made last year, GitHub will begin phasing in two-factor authentication (2FA) requirements for developers contributing code to the popular code-sharing site on March 13. All developers will have to comply before the end of the year.

Smaller groups will be required to sign up for 2FA starting next week, with GitHub selecting accounts for signup, the company said on March 9. One or more forms of 2FA will be required, affecting millions of developers. Those chosen will be notified by email and will see a banner on GitHub.com asking them to sign up. Users will have 45 days to set up 2FA on their accounts. Notifications can be “snoozed” or paused for a week. The gradual rollout is intended to help GitHub ensure users are on board, with adjustments made as needed, before the process is rolled out to larger groups as the year progresses.

By requiring the use of 2FA, GitHub attempts to secure software development by improving account security. Developer accounts are frequent targets of social engineering and account takeover, GitHub said.

Users can choose between 2FA methods such as TOTP (time-based one-time password), SMS (short message service), security keys, or GitHub Mobile as the preferred 2FA method. GitHub recommends using security keys and TOTP whenever possible; SMS does not provide the same level of protection and is no longer recommended under NIST 800-63B, the company said.

GitHub noted that users can have both an authenticator app (TOTP) and an SMS number. Users will see a prompt after 28 days asking them to perform 2FA and confirm the second factor settings. The notice will help prevent account lockout due to misconfigured authenticator apps. Users can unlink their email address from the two-factor-enabled GitHub account in case they can’t log in or recover it.

Also, passkeys, a replacement for passwords, are being tested internally. GitHub believes that this technology will combine ease of use with strong, phishing-resistant authentication.