GitHub makes 2FA mandatory next week for active developers

GitHub will start requiring active developers to enable two-factor authentication (2FA) on their accounts beginning next week, on March 13.

Once expanded to the company’s entire user base, the will help secure the accounts of .

The gradual rollout will start next week with GitHub reaching out to smaller groups of administrators and developers via email and will speed up as the end of the year approaches to ensure that onboarding is seamless and users have time to sort out any issues.

“GitHub has designed a rollout process intended to both minimize unexpected interruptions and productivity loss for users and prevent account lockouts,” said Staff Product Manager Hirsch Singhal and Product Marketing Director Laura Paine.

“Groups of users will be asked to enable 2FA over time, each group selected based on the actions they’ve taken or the code they’ve contributed to.”

If your account is selected for enrollment, you will receive an email and see a banner on GitHub.com requesting you to enroll in the two-factor authentication (2FA) program.

Then, you’ll have 45 days to configure 2FA on your account, during which you can keep using your GitHub account as usual, except for occasional reminders.

GitHub will keep you updated on your enablement deadline, and once it has passed, you will be prompted to enable 2FA the first time you access GitHub.com and blocked from accessing some features until 2FA is toggled on.

​This follows two previous announcements from and that all developers contributing code on the platform will be required to enable 2FA by the end of 2023.

GitHub provides detailed instructions on for your account and when losing 2FA credentials.

Developers can use one or more 2FA options, including physical security keys, virtual security keys built into mobile devices like smartphones and laptops, Time-based One-Time Password (TOTP) authenticator apps, or the GitHub Mobile app (after configuring TOTP or SMS 2FA).

Although text message-based 2FA is also an option (), GitHub is urging users to switch to security keys or TOTP apps because threat actors can bypass SMS 2FA or steal SMS 2FA auth tokens to hijack the developers’ accounts.

Securing the software supply chain

Enabling 2FA on GitHub accounts increases resilience against account takeover by blocking attempts to use reused passwords or stolen credentials in hijacking attacks.

This is the company’s latest move towards securing the software supply chain by moving away from basic password-based authentication.

Previously, the code hosting platform implemented and for Git operation authentication.

Additionally, GitHub back in November 2020 and introduced to secure SSH Git operations in May 2021.

Over the years, GitHub has enhanced its account security measures by incorporating , , , and providing .