GitHub is introducing mandatory 2FA for all developers in new security drive
Starting next week, GitHub is going to require active developers on the site to enable at least one form of two-factor authentication (2FA). The security initiative will start with specially selected groups of developers and administrators on March 13.
Until the end of the year, GitHub will begin notifying those who have been selected of the 2FA requirement. As the year progresses, more and more users will be obliged to enable two-factor authentication.
- Forget Notepad! The far superior Notepad++ now integrates with Windows 11
- New PowerToys alert! Microsoft releases update adding Mouse Jump and Paste As Plain Text utilities
- NVIDIA releases hotfix driver for high CPU usage in Windows 11 and 10
Launching the new security measures, GitHub says: "On March 13, we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023".
GitHub will display a banner notification on accounts selected for enrollment in the program advising them of the need to enable 2FA within 45 days. When deadline day rolls around, anyone who was selected but has still filed to enable 2FA will be prompted daily to do so.
Failure to enable two-factor authentication a week after the deadline will mean losing access to GitHub feature until it is enabled.
GitHub says that it is making various changes to the 2FA 'experience' to smooth the transition:
- Second-factor validation after 2FA setup. GitHub.com users who set up 2FA will see a prompt after 28 days, asking them to perform 2FA and confirm their second factor settings. This prompt helps avoid account lockout due to misconfigured authenticator applications (TOTP apps). If you find that you can't perform 2FA, you'll be presented with a shortcut that allows you to reset your 2FA setup without being locked out of your account.
- Enroll second factors. Having more accessible 2FA methods is important to ensure that you always have access to your account. You can now have both an authenticator app (TOTP) and an SMS number registered on your account at the same time. While we recommend using security keys and your TOTP app over SMS, allowing both at the same time helps reduce account lock out by providing another accessible, understandable 2FA option that developers can enable.
- Choose your preferred 2FA method. The new preferred option empowers you to set your preferred 2FA method for account login and use of the sudo prompt, so you're always asked for your favorite method first during sign-in. You can choose between TOTP, SMS, security keys, or GitHub Mobile as your preferred 2FA method. We strongly recommend the use of security keys and TOTPs wherever possible. SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B. The strongest methods widely available are those that support the WebAuthn secure authentication standard. These methods include physical security keys, as well as personal devices that support technologies, such as Windows Hello or Face ID/Touch ID.
- Unlink your email in case of 2FA lockout. Since accounts on GitHub are required to have a unique email address, locked out users have difficulty starting a new account using their preferred email address -- the one all their commits point to. With this feature, you can now unlink your email address from a two-factor enabled GitHub account in case you're unable to sign in or recover it. If you're unable to find an SSH key, PAT, or a device that's been previously signed into GitHub to recover your account, it's easy to start fresh with a new GitHub.com account and keep that contribution graph rightfully green.
More information is available in GitHub's blog post.