GitHub Plans for MFA mandatory by 2023 yearend

GitHub plans to introduce MFA as a mandatory requirement for any user who contributes code on the platform by the end of 2023.

The platform owned by Microsoft has a base of 83 million developers targeted by social engineering attacks on a constant basis which can be treated as a catastrophic event that leads to a software supply chain attack.

GitHub’s plan to optimize new security features without affecting the platform’s user experience, in the next 20 months

In general, compromised GitHub accounts can be used to steal private code or push malicious changes to code. The potential for downstream impact on the broader software ecosystem and supply chain, as a result, is substantial.

By February this year, the administrators of the Node Package Manager (npm) the largest package/code repository for JavaScript’s – owned by GitHub said they enrolled the maintainers of the Top 100 most popular libraries into their mandatory two-factor authentication procedure.

And by March 2022, tall npm accounts were enrolled in enhanced login verification and by May 31, all maintainers of the top 500 packages will be enrolled in mandatory two-factor authentication.

As of now only 16.5% of active GitHub users and 6.44% of npm users use one or more forms of two-factor authentication.

In January, GitHub announced that two-factor authentication will be available to all users through GitHub Mobile. It is now available to all users in the App Store and Play Store, feature is another way GitHub users can enable two-factor authentication alongside security keys as well as WebAuthn, one-time passcodes, and SMS.