Highlights –
- GitHub has already set an example for 2FA to be used mandatorily across a small section of platform users.
- By directing these users towards a higher minimum standard of account protection, GitHub aims to enhance the overall security of the software development community.
GitHub, the world’s largest open source platform, used by millions of software developers around the world, announced that by the end of 2023, users, who contribute code to its platform, will be able to use it only when they have enabled one or more forms of two-factor authentication (2FA).
GitHub’s Chief Security Officer (CSO) Mike Hanley made the announcement in a blog post where he deliberated on the crucial role played by the Microsoft-owned platform in safeguarding the integrity of the software development process in the wake of bad actors posing threats by hijacking developers’ accounts.
“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”
Multi-factor authentication does offer notable protection to online accounts. Still, a research conducted by an internal research team at Github revealed that just about 16.5% of active users (about one in six) and 6.44% of NPM users use enhanced security measures on their accounts. Such figures are surprising in light of the fact that Github’s user base should be abreast of the risks of password-only protection.
By directing these users towards a higher minimum standard of account protection, GitHub aims to enhance the overall security of the software development community, said Hanley.
He also mentioned that Github is trying to ensure that the extra layer of security does not dent the user experience. This is why there’s a gap between today’s announcement and the day when it will be enforced. “Our end of 2023 target gives us the opportunity to optimize for this,” Hanley explained.
“GitHub is in a unique position here, just by virtue of the vast majority of open source and creator communities living on GitHub.com, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar from a security hygiene perspective,” Hanley said. “We feel like it’s really one of the best ecosystem-wide benefits that we can provide, and we’re committed to making sure that we work through any of the challenges or obstacles to making sure that there’s successful adoption.”
GitHub has already set an example for 2FA to be used mandatorily across a small section of platform users, trialling it with contributors to popular JavaScript libraries distributed through the package management software NPM. Because widely-used NPM packages can be downloaded millions of times every week, they make a very attractive target for malware gangs. There have been cases where hackers compromised NPM contributor accounts and used them to publish software updates that installed password stealers and crypto miners.
As a result, GitHub made it mandatory for the maintainers of the 100 most popular NPM packages to enable two-factor authentication as of February 2022. In the future, the firm aims to carry forward similar requirements to contributors to the top 500 packages by the end of May.
Learnings from this smaller version of the trial will be used to smooth out the process of rolling out 2FA across the platform, Hanley said. “I think we have a great benefit of the fact that we’ve already done this now on NPM,” he said. “We have learned a lot from that experience, in terms of feedback we’ve gotten from developers and creator communities that we’ve talked to, and we had a very active dialogue about what good [practice] looks like with them.”
The software industry is still encountering the problem of securing open-source software after last year’s log4j vulnerability. The new policy will help mitigate some threats, but other systemic challenges remain: Unpaid volunteers continue to maintain several open source software projects. A major problem for the entire tech industry has been closing the funding gap.