GitHub will require that all users enable 2FA before the 2023 end

GitHub requires all code contributors to the platform by 2023 that they enable 2-factor authentication (2FA), as an extra protection measure for their accounts.

The two-factor authentication method increases account security by adding an extra step to the login process, which requires you to enter a unique code.

Account takeovers by GitHub users can result in malicious code being introduced to supply chain attacks. This could have a significant impact on project popularity.

The platform will be safer and users will feel better about downloading code from repositories if 2FA is made mandatory.

The software collaboration and hosting platform had earlier announced that it was making a similar announcement. This decision concerned active developers who are involved in , with more than a million downloads a week or 500 dependents.

The 2FA requirement has been extended to all users, which now covers approximately 83,000,000.

Although had previously announced the decision , GitHub now shares more information about how it will implement it.

Implementing the 2FA requirement

GitHub will implement 2FA for all GitHub accounts starting March 2023. It is initially limited to a few contributors.

Before the feature rollout is scaled up to bigger groups, it will be assessed for onboarding, account lockout, recovery and support ticket volume.

GitHub claims that the pool will consist of large groups based on the following criteria.

  • Users that published GitHub and OAuth apps/packages
  • Release creators
  • Administrators of Enterprise and Organizations
  • Contributors to code repositories that were deemed crucial by PyPI, OpenSSF or RubyGems
  • The top 4 million repositories are populated with code by users who have contributed to it.

All those who have received email notice of 2FA will be allowed to complete it within a period of 45 days.

After the deadline has passed, users will see a prompt asking them to activate 2FA in GitHub. If they don’t take the action required, they may be banned from accessing GitHub.

clarifies that “This one week snooze period starts after you sign in following the deadline. So if you are on vacation, don’t worry – you won’t be locked out of”

Users will be checked every 28 days to ensure that 2FA is enabled. This check allows users to reset their 2FA settings, and retrieve any codes lost.