GitHub will begin its official rollout of two-factor authentication for developers who contribute code on the platform, starting March 13.
The step comes under a plan announced last May to make 2FA mandatory for all contributors by the end of 2023. If successful, the requirement could help to better secure the accounts of over 100 million users, protecting them from software supply chain attacks and other threats levied at the platform.
"Over the course of the next year, we'll be reaching out to groups of developers and administrators, starting with smaller groups on March 13, to notify them of their 2FA enrollment requirement," GitHub wrote in a blog post on Thursday. "This gradual rollout will let us make sure developers are able to successfully onboard, and make adjustments as needed before we scale to larger groups as the year progresses."
If selected, developers will be notified via email and have 45 days to configure 2FA on their accounts. During this time, accounts can be kept as usual, except for occasional reminders.
Users who are not selected in the early enrollment group but would like to set up 2FA can click here to enroll.
SMS now, passkeys later
Along with setting next Monday as the official start day, GitHub added that it will support SMS text messages as a second factor, while testing FIDO Alliance passkeys internally to improve the security posture.
While SMS is deemed less secure than other second factors in the security community, some experts still praised GitHub's decision to keep it.
"It is true that SMS 2FA can be easily phished by hackers as it relies on knowledge-based credentials. But GitHub recognizes these risks and strongly recommends using security keys and TOTPS wherever possible for greater security -- [and] will continue to offer SMS for 2FA -- which is better than removing the option entirely," said Andrew Shikiar, executive director of the FIDO alliance.
Timothy De Block, application security engineering practice lead at GuidePoint Security, added that SMS also adds a measure of convenience, particularly regarding account recovery.
"If a phone is lost, wiped, or dropped in the toilet, the authentication app is no longer synced with the authentication mechanism of their account. And if users do not have backup codes, it will be difficult to recover the account. But with SMS, they just need to get a new phone with the same number," said Block.
GitHub's support of SMS starkly contrasts with that of Twitter, which eliminated the function a month ago for non-subscribers.
Regarding passkeys, the platform did not specify their deployment timeline but said they have already tested them internally.
Security experts speak highly of passkey, with many viewing it as a long-term solution to defend against software supply chain attacks.
"Passkeys change the paradigm of how people are typically authenticating online today by replacing the password -- a fundamentally flawed first factor -- with an un-phishable primary factor for user authentication that is built into virtually every modern computing device today," said Shikiar. "Many attacks on Cloud Service Providers (CSPs) and the software supply chain can be tied back to weak authentication and/or compromised credentials. The primary attack vector is removed by implementing passkeys, which greatly reduces the risk of hackers carrying out scalable attacks."
"The rise of passkeys has also seen the adoption of novel methods, such as password-less authentication with email and One-time-use Code/Magic links that offer both high security and convenience while ensuring the login flow is predictable for end users. With improved adoption, I expect it to become mainstream soon," added Debrup Ghosh, staff product manager at Synopsys.