GitHub’s 2FA Push Boosts Adoption among Developers
GitHub is on a mission to help secure millions of developers through its mandatory two-factor authentication (2FA) policy.
Through the company’s initiative to make the software ecosystem more secure, GitHub has dramatically increased 2FA adoption among code contributors, with a 95% opt-in rate and a 54% increase in overall adoption among active contributors.
Significance of GitHub
GitHub, which hosts a significant portion of the world’s open source software, is an important link in securing the global software supply chain, said Janet Worthington, an analyst at Forrester.
“Implementing mandatory two-factor authentication is a crucial measure to prevent the hijacking of developer user accounts by malicious actors, thereby safeguarding the open source software on which we all depend,” she told The New Stack.
A little more than a year ago (March 2023), GitHub began officially rolling out its initiative – initially introduced in 2022 — to require all developers who contribute code on GitHub.com to enable one or more forms of 2FA by the end of 2023.
“Because strong multi-factor authentication remains one of the best defenses against account takeover and subsequent supply chain compromise, we set an ambitious goal to require users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023,” wrote Michael Hanley, Chief Security Officer and SVP of Engineering at GitHub, in a blog post.
GitHub then invested a year of research and design around the implementation of these requirements, followed by the gradual rollout of user onboarding.
Findings
In retrospect, Hanley said GitHub saw:
- Dramatic increase in 2FA adoption on GitHub.com focused on users who have the most critical impact on the software supply chain.
- Users adopting more secure means of 2FA, including passkeys.
- Net reduction in 2FA-related support ticket volume, something we credit to heavy up-front user research and design as well as Support process improvements.
- Other organizations like RubyGems, PyPI, and AWS join us in raising the bar for the entire software supply chain, proving that large increases in 2FA adoption aren’t an insurmountable challenge.
Moreover, nearly 1.4 million passkeys, a more secure form of 2FA, have been registered on GitHub.com since their introduction in July 2023.
In addition, GitHub has reduced the share of SMS as a second factor by almost 23% and made it 47% more likely for users to configure two or more forms of 2FA.
Also, due to significant investments in user experience and design, GitHub saw a one-third reduction in 2FA-related support tickets and a 54% reduction in 2FA account recovery tickets requiring human intervention.
Measuring Effectiveness
David Vance, an analyst at Enterprise Strategy Group, said while he applauds GitHub for its mandatory enforcement of 2FA last year – which he characterized as “needed and long overdue” — measuring the initiative’s effectiveness is not so simple.
“Anecdotally, you only know if a security control is effective by observing a lack of related incidents (unless the control has a way to measure successful and unsuccessful attempts), Vance said. “Did GitHub have a decrease in account hacking/unauthorized authentication attempts after implementing mandatory 2FA? I honestly don’t know but would like to think (hope) they did.”
Vance noted that GitHub has experienced token leaks over the past year.
“While I think their mandatory enforcement of 2FA was a step in the right direction, I firmly believe they didn’t go far enough,” he told The New Stack. “I think GitHub still has a lot of work to do in terms of security authentication and enforcement. They should increase their usage of 2FA to multifactor authentication using geo-location and/or additional forms of authentication to mitigate incidents such as lost/stolen tokens, keys and certificates. The banks I use online have this capability, so why shouldn’t GitHub?”
However, “GitHub’s campaign has been effective, as evidenced by their reporting of a high opt-in rate for 2FA, and more importantly, the use of passkeys as the second factor, which is more challenging for attackers to circumvent,” Forrester’s Worthington said. “Most organizations utilize open source to power applications and digital experiences and therefore have an obligation to give back to the open source community, by committing developer time, finding and fixing security flaws and making financial contributions to open source projects and communities such as the Apache Foundation, Cloud Native Computing Foundation, or the Linux Foundation.”
Moving forward, GitHub plans to continue expanding 2FA requirements to more users, improve the user experience, and encourage the adoption of more secure factors like passkeys. The company urges other organizations to join their efforts in securing the software ecosystem by implementing similar 2FA requirements on their platforms.
