GitHub introduces new rules regarding developers and two-factor authentication (2FA) security.
On Wednesday, the Microsoft-owned code-sharing platform said changes would be made to existing authentication rules as part of an effort to secure the software ecosystem by improving account security.
According to GitHub Chief Security Officer (CSO) Mike Hanley, GitHub will require any developer contributing code to the platform to enable at least one form of multi-factor authentication (2FA) by the end of 2023.
Authentication, a frequent target
Open source projects are popular and widely used resources that are valuable to individuals and businesses alike. However, if a malicious actor compromises a developer’s account, it could lead to repositories being hacked, data stolen, and project disruption.
Salesforce-owned cloud platform provider Heroku disclosed a security incident in April. A subset of its private git repositories were compromised following the theft of OAuth tokens, potentially leading to unauthorized access to customer repositories.
GitHub claims that the software supply chain “starts with the developer” and has tightened its controls with this in mind. The company believes that developer accounts are “frequent targets for social engineering attacks and account takeover.”
Recently, the issue of malicious modules uploaded to GitHub’s npm registry has also brought software supply chain security to the fore.
In many cases, it’s not a zero-day vulnerability that causes open source projects to collapse. Instead, it’s the fundamental weaknesses – such as weak password credentials or stolen information – that cyberattackers exploit.
Delicate compromise
However, the platform also recognized that there can be a trade-off between security and user experience. So the 2023 deadline will also give the organization time to “optimize” the GitHub domain before the rules are set in stone.
“Developers everywhere can expect more options for secure authentication and account recovery, as well as enhancements that help prevent and recover from account compromise,” Hanley commented.
For GitHub, implementing 2FA could become a pressing issue, with only 16.5% of active GitHub users and 6.44% of npm users adopting at least some form of 2FA.
GitHub has already deprecated basic authentication, using only usernames and passwords, in favor of integrating OAuth or access tokens. The organization has also introduced device verification via email when 2FA has not been enabled.
The current plan is to pursue a mandatory rollout of 2FA on npm, moving from the top 100 packages to the top 500, then to those with over 500 dependents or one million weekly downloads. Lessons learned from this testbed will then be applied to GitHub.
Source: ZDNet.com