Security News > 2023 > March > GitHub makes 2FA mandatory next week for active developers
GitHub will start requiring active developers to enable two-factor authentication on their accounts beginning next week, on March 13.
The gradual rollout will start next week with GitHub reaching out to smaller groups of administrators and developers via email and will speed up as the end of the year approaches to ensure that onboarding is seamless and users have time to sort out any issues.
GitHub will keep you updated on your enablement deadline, and once it has passed, you will be prompted to enable 2FA the first time you access GitHub.com and blocked from accessing some features until 2FA is toggled on.
GitHub provides detailed instructions on configuring 2FA for your account and recovering accounts when losing 2FA credentials.
Developers can use one or more 2FA options, including physical security keys, virtual security keys built into mobile devices like smartphones and laptops, Time-based One-Time Password authenticator apps, or the GitHub Mobile app.
Although text message-based 2FA is also an option, GitHub is urging users to switch to security keys or TOTP apps because threat actors can bypass SMS 2FA or steal SMS 2FA auth tokens to hijack the developers' accounts.