GitHub will require contributors to use two-factor authentication by the end of 2023, the code-hosting platform announced Wednesday. ("GitHub Office" by DASPRiD is marked with CC BY 2.0.)

GitHub on Wednesday announced that it will require all of its users who contribute code on to use one or more forms of two-factor authentication by the end of 2023.

In a blog post, GitHub pointed out the need to take this step, mainly because 2FA adoption across the software ecosystem remains low overall. Today, only just 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA.

“At GitHub, we believe that our unique position as the home for all developers means that we have both an opportunity and a responsibility to raise the bar for security across the software development ecosystem,” said Mike Hanley, chief security officer at GitHub and author of today’s blog.

Hackers have long targeted code. However, recent events have highlighted the seriousness of the threat, said Casey Bisson, head of product and developer relations at BluBracket, who added that GitHub made a great move.

“This will help motivate any companies that haven’t yet enabled the option, but we also have to acknowledge the limits,” Bission said. “Developer productivity often requires broad access to code. Private repositories — even with improved authentication — provide little protection to companies that store keys, secrets, and other sensitive material in their code. Most of the companies recently attacked by Lapsus$, for example, also had strong authentication policies with 2FA, yet still saw their code — and all the keys and passwords in it — leaked publicly.”

Joseph Carson, chief security scientist and advisory CISO at Delinea, said companies should use 2FA anywhere and everywhere possible as it’s the best “next-step” way to authenticate identities beyond simply using a username and password. Carson said strong password management, privileged access security, and MFA will make it difficult for attackers to succeed at gaining an initial foothold, forcing them to look for an easier target elsewhere.  

“Recent advancements in MFA options have made it far less burdensome to users,” Carson said. “However, the most common mistakes we see with MFA is that it’s used in addition to existing security controls as another step, rather than making it easier and removing existing authentication poor practices. It’s simply added on to existing security controls. We need to make authentication easier and the experience positive where possible, otherwise users will find ways around the security control making them much weaker.”