GitHub will begin its official rollout of two-factor authentication for developers who contribute code on the platform, starting March 13.
The step comes under a plan announced last May to make 2FA mandatory for all contributors by the end of 2023. If successful, the requirement could help to better secure the accounts of over 100 million users, protecting them from software supply chain attacks and other threats levied at the platform.
“Over the course of the next year, we’ll be reaching out to groups of developers and administrators, starting with smaller groups on March 13, to notify them of their 2FA enrollment requirement,” GitHub wrote in a blog post on Thursday. “This gradual rollout will let us make sure developers are able to successfully onboard, and make adjustments as needed before we scale to larger groups as the year progresses.”
If selected, developers will be notified via email and have 45 days to configure 2FA on their accounts. During this time, accounts can be kept as usual, except for occasional reminders.
Users who are not selected in the early enrollment group but would like to set up 2FA can click here to enroll.
SMS now, passkeys later
Along with setting next Monday as the official start day, GitHub added that it will support SMS text messages as a second factor, while testing FIDO Alliance passkeys internally to improve the security posture.
While SMS is deemed less secure than other second factors in the security community,