Here’s some news that’s both simple and won’t go away for a long time, but important nonetheless: By the end of 2023, GitHub will require all users who contribute code to the platform to activate one or more forms. two-factor authentication (2FA).
And that’s pretty much all for the news. Today, according to the Microsoft-owned company, only 16.5% of active GitHub users and 6.44% npm users use 2FA. It’s not much, and frankly, less than I expected.
“Compromised accounts can be used to steal personal code or make malicious changes to that code. This puts not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the vulnerable code. As a result, the potential for subsequent impact on the broader software ecosystem and supply chain is significant,” writes Mike Hanley, director of security at GitHub, in today’s announcement.
He also notes that the company is trying to make sure the extra layer of security doesn’t come at the expense of user experience. Hence the long gap between today’s announcement and when it will be enforced. “Our target for the end of 2023 gives us the opportunity to optimize this,” Hanley explains. The transition to 2FA entails some changes to the user interface both on the command line and in the GitHub web interface.
It’s worth noting that earlier this year, GitHub also registered the maintainers of the top 100 npm packages in mandatory two-factor authentication to prevent attacks on the software supply chain. This month, he plans to expand the list to those supporting the top 500 packages, and then expand it to all packages with more than 500 dependents or 1 million weekly downloads.
Credit: techcrunch.com /