GitHub is introducing new rules regarding developers and the security of two-factor authentication (2FA).
Microsoft-owned code-sharing platform said on Wednesday that changes will be made to existing authentication rules as part of an effort to protect the software ecosystem by improving account security.
According to GitHub Chief Security Officer (CSO) Mike Hanley, by the end of 2023, GitHub will require any developer contributing code to the platform to enable at least one form of multi-factor authentication (2FA).
Authentication, a common goal
Open source projects are popular and widely used resources that are equally valuable to individuals and businesses alike. However, if an attacker compromises a developer’s account, this can lead to repositories being hacked, data theft, and project disruption.
Cloud platform provider Heroku, owned by Salesforce, reported a security incident in April. A subset of his private git repositories were compromised after OAuth tokens were stolen, potentially leading to unauthorized access to client repositories.
GitHub claims that the software supply chain “starts with the developer” and has tightened controls with that in mind. The company believes that developer accounts are “common targets for social engineering attacks and account hijacking.”
Recently, the issue of malicious modules uploaded to the npm GitHub registry has also highlighted the security of the software supply chain.
In many cases, this is not a zero-day vulnerability that causes open source projects to crash. Instead, attackers exploit fundamental weaknesses such as weak password credentials or stolen information.
A delicate compromise
However, the platform has also acknowledged that there can be trade-offs between security and user experience. So the 2023 deadline will also give the organization time to “optimize” the GitHub domain before the rules are set in stone.
“Developers around the world can expect more options for secure authentication and account recovery, as well as improvements that help prevent account compromise and recover,” Hanley commented.
For GitHub, implementing 2FA can be a pressing issue, with only 16.5% of active GitHub users and 6.44% of npm users using at least some form of 2FA.
GitHub has already moved away from basic authentication using only usernames and passwords in favor of integrating OAuth or access tokens. The organization also introduced email device verification when two-factor authentication was not enabled.
The current plan is to have a mandatory rollout of 2FA on npm, moving from the top 100 packages to the top 500 and then to those with over 500 dependent packages or one million weekly downloads. Lessons learned from this testbed will then be applied to GitHub.