Security: GitHub to roll out two-factor authentication by 2023

GitHub is introducing new rules regarding developers and the security of two-factor authentication (2FA). On Wednesday, the Microsoft-owned code repository said changes would be made to existing authentication rules as part of a “platform-wide effort to protect the software ecosystem by improving account security.” By the end of 2023, the platform will require any developer contributing code to include at least some form of 2FA, according to GitHub security director Mike Hanley.

Today, open source projects are becoming a valuable resource for individuals and businesses. However, they are not infallible, and if compromised, they can lead to data theft, which is sometimes extremely dangerous. Salesforce-owned cloud platform provider Heroku said it had a security incident in April. A subset of his private git repositories were compromised after OAuth tokens were stolen, potentially leading to unauthorized access to client repositories.

In prompting the GitHub platform to step up its controls, the latter notes that developer accounts are “common targets for social engineering and account hijacking.” Recently, the issue of malicious packages uploaded to the npm GitHub registry has also highlighted the security of the software supply chain.

Strengthen even lighter security

In many cases, this is not a zero-day vulnerability that crashes open source projects or causes developers to break into cold sweats. Rather, attackers exploit fundamental weaknesses such as weak passwords or information theft. However, the code repository has also acknowledged that there can be a trade-off between security and user experience. So the 2023 deadline will also give the organization time to “optimize” the GitHub domain before the rules are set in stone.

“Developers around the world can expect more options for secure authentication and account recovery, as well as improvements to help prevent and recover compromised accounts,” says the GitHub side. The urgency for the platform is very real, while only 16.5% of its active users use at least one form of dual authentication.

“While we are investing heavily in our platform and in the industry as a whole to improve the overall security of the software supply chain, the value of these investments is fundamentally limited unless we address the ongoing risk of compromised software,” says Mike Hanley. . “Our response to this challenge continues today as we strive to improve supply chain security through secure practices for individual developers. »

As a reminder, GitHub introduced a new analysis feature in April to protect developers and prevent secrets from being accidentally leaked. The enterprise user feature is an optional check that developers can enable for use during workflows and before running git push.

Source: .com

Back to top button