GitHub to mandate 2FA by 2023, plans for additional security

More GitHub security features planned

GitHub 2FA will require a username and password and then ask for a second piece of information, like a biometric factor or security token, before gaining access to the site. The policy is a result of npm package takeovers resulting from compromised developer accounts without 2FA enabled.

But mandatory 2FA is just the beginning for securing GitHub code. John Swanson, security strategy director at GitHub, said the company is exploring new ways to authenticate users. That's in addition to those that they currently support, which include GitHub Mobile, WebAuthn-backed security keys -- which negates the need to store passwords on servers -- and SMS.

The additional security measures are necessary because 2FA has limitations*, said Caleb Hailey, senior director of product management at Sumo Logic, a data analytics company. For example, while 2FA will reduce the possibility of impersonation, he said, "it won't prevent bad actors from verifying their own accounts via 2FA and contributing potentially malicious code."

Less-secure forms of 2FA are open to abuse like phishing attacks, said Reed Loden, vice president of security at Teleport, a platform that provides secure systems access. The obvious next step, he said, is widespread adoption of phish-proof security methods like WebAuthn and Fast Identify Online 2 (FIDO2), a passwordless authentication standard.

Physical keys may solve the security problem

Basic 2FA offers one level of protection, but it can be bolstered with physical keys -- like YubiKey -- to add a second level of authentication to the sign in process. Larry Carvalho, an independent analyst at RobustCloud, said, "While [the GitHub 2FA policy] will improve overall security, I feel that protection with a physical device is better." To back up his point, Carvalho referred to a Krebs report, which stated that Google employees reported zero successful phishing attempts after physical keys were mandated. 

But one problem with physical keys, which can be part of a 2FA program, is that they can be misplaced. Another is that they may not be affordable for every developer. "Forcing pro bono open source developers doing work for the community to buy security keys would be too much to ask for," said David Cottrell, founder and CTO at Zynq, an office management platform company.

Plus, there are limits to the utility of individual security keys, Teleport's Loden said. "Security keys are often a major pain when dealing with multiple devices," he said, especially with older USB models, which do not work with mobile devices.

GitHub has not yet mandated the use of physical keys. However, it will continue to track the necessity of additional security measures as standards evolve, Swanson said.

Extra security may lead to lower productivity

While the consensus from analysts is that enhanced security measures are necessary, not all developers are happy with the extra work involved with authentication. Kimberly Silva, senior software engineer and CEO at FindPeopleFirst, a people-finder service, said the new policy doesn't make sense, because not every project needs 2FA. Implementing it across the board "will be a hindrance to productivity, a danger of account loss and a pain to install for the majority of developers," she said.

GitHub's Swanson is aware that authentication measures may hinder productivity. "We're committed to ensuring that strong account security doesn't come at the expense of a great developer experience," he said, adding that GitHub is working to make a range of secure options more usable and available. "We believe the flexibility to choose from a variety of factors is currently important to support broad adoption."

*The original version of this story incorrectly attributed this to Ankur Papneja, product manager at Contrast Security.