GitHub Adding Two-Factor Authentication to Contributors

In a move that’s arguably better late than never, GitHub is embracing two-factor authentication for anyone who contributes code.

Many years after websites began adopting two-factor authentication (2FA) for logins, GitHub is finally catching up.

"The software supply chain starts with the developer," said Mike Hanley, GitHub’s chief security officer on their blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."

GitHub has required 2FA for popular package contributors, including npm, for a while. Soon, every contributor will need to use it. According to GitHub, the majority of attacks they experience are caused by social engineering or credential theft or loss. Adding a second factor to login should make much of that a thing of the past.

It should also help reduce the spread of malicious code or malicious changes to code on GitHub.

Considering how many of us source code from the site, that’s a welcome move, if a little late in coming!

The implementation will use TOTP SMS codes or an authenticator app. It will be compatible with 1Password, Authy, LastPass Authenticator and Microsoft Authenticator.

No word on Google Authenticator as yet.

2FA is not a get out of jail free card

Two-factor authentication can do a lot to improve login security but it isn’t a panacea for every threat vector. It does significantly improve login security, though.

Yes, it’s annoying to always need your phone to hand for an SMS code or use an authenticator app, but it’s better than the alternative. Personally, I prefer SMS codes over authenticator apps. While apps are convenient, the moment you upgrade or replace your phone, you lose all your authentications.

Then you have to contact each one to recover it and begin all over again with the new instance of the app.

That’s a real pain and something I had to do recently when I upgraded my phone. Considering upgrades are typically annually, this is a significant downside to app authentication.

Despite that, the second factor significantly enhances security. You may have lost your username and password, but without physical access to your second factor, a malicious login will fail.

The adoption is great news for GitHub users and for those of us that acquire code from the website.

We just wonder why it took so long!