In a world where cybersecurity has become an essential priority, preventing the next cyberattack depends on getting the basic fundamentals of security right. It is essential to protect the developers who design, build, and maintain the software that we all depend on. GitHub, home to the world’s largest community of developers, is uniquely positioned to improve software supply chain security. In May 2022, GitHub launched an initiative to raise the standard of supply chain security, focusing on protecting developers.
One of the main goals was to have users who contribute code on GitHub.com enable one or more two-factor authentication (2FA) methods by the end of 2023, as this remains one of the best defenses against account takeover and subsequent supply chain compromise. After a year of research and design investments, GitHub began gradually implementing these requirements, ensuring a smooth and effective user experience.
The results of the first phase of 2FA enrollment are promising. There was a dramatic increase in 2FA adoption on GitHub.com, especially among users with a critical impact on the software supply chain. Additionally, there was a growing use of more secure 2FA methods, such as passkeys, while the volume of support tickets related to 2FA significantly decreased.
Since March 2023, when 2FA became mandatory, the enrollment rate has reached nearly 95% among code contributors who received the 2FA requirement, and enrollments are still coming in. This has led to a 54% increase in 2FA adoption among all active contributors.
Furthermore, the initiative encouraged users to adopt more secure authentication methods. Since passkeys became available in public beta in July 2023, nearly 1.4 million passkeys have been registered on GitHub.com. Passkeys quickly surpassed other Webauthn-based 2FA methods.
For 2024, GitHub promises to continue strengthening the platform’s security and the software ecosystem in general, researching additional account security features and promoting the use of more secure authentication methods. The goal is to have more GitHub.com users enroll in 2FA, improving and monitoring the user experience, and exploring secure and efficient ways to make these tools more accessible.
GitHub calls on other organizations to implement similar requirements, thus raising security globally without negatively impacting the user experience. Securing both developers and the software supply chain is an ongoing effort, and GitHub is committed to leading the way.
via: MiMub in Spanish