Security News > 2022 > May > GitHub to require 2FA from active developers by the end of 2023
GitHub announced today that all users who contribute code on its platform will be required to enable two-factor authentication on their accounts by the end of 2023.
Active contributors who will have to enable 2FA include but are not limited to GitHub users who commit code, use Actions, open or merge pull requests, or publish packages.
Developers can use one or more 2FA options, including physical security keys, virtual security keys built into devices like phones and laptops, or Time-based One-Time Password authenticator apps.
Even though SMS-based 2FA is also an option, GitHub urges switching to security keys or TOTPs since threat actors can bypass or steal SMS 2FA auth tokens.
Hanley added today that, although 2FA has already proven a simple way to secure accounts against hijacking, "Only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA.".
GitHub provides detailed information on how to configure 2FA for your GitHub account, recover accounts when losing 2FA credentials, and disable 2FA for personal accounts.