GitHub has announced significant progress in securing the software supply chain through its two-factor authentication (2FA) initiative for code contributors. The initiative, launched in 2023, aimed to bolster defenses against potential supply chain attacks, has resulted in a notable increase in 2FA adoption, particularly among users with a significant impact on software development and distribution. Over the past year, GitHub saw a dramatic increase in the use of 2FA on its platform, with a shift towards more secure methods such as passkeys, which are supported by Webauthn. The transition to these secure methods has led to a reduction in the number of 2FA-related support tickets, thanks to comprehensive user-focused research, design improvements, and support process enhancements.
Organizations like RubyGems, PyPI, and AWS have joined GitHub in adopting higher security standards, significantly increasing 2FA usage across the software supply chain. Mike Hanley, Chief Security Officer at GitHub, expressed satisfaction with the initiative’s outcomes, stating, “Preventing the next cyberattack depends on getting the security basics right. Our efforts to secure the software ecosystem must protect the developers who design, build, and maintain the software we all depend on.” He highlighted the necessity of robust multi-factor authentication to prevent account takeovers and further protect the supply chain. The 2FA requirement at GitHub has seen nearly 95% compliance among code contributors, with a 54% rise in overall 2FA adoption among active users on GitHub.com since its introduction. The platform has promoted the adoption of passkeys, which combine high security with ease of use, resulting in nearly 1.4 million passkeys being registered on GitHub.com by early 2024. While GitHub continues to support SMS as a 2FA option, it encourages users to opt for more secure methods whenever possible, which has led to a 23% decline in SMS-based 2FA usage within a year.
Improvements in the enrollment experience and passkey rollout have shown that users configuring two or more forms of 2FA are nearly 50% more likely to maintain secure access without becoming locked out, enhancing user experience across the board. GitHub’s investment in 2FA onboarding workflows and design enhancements has also led to a one-third reduction in 2FA-related support tickets. While the primary goal of the 2FA initiative was to secure GitHub’s own platform, its broader impact on the software supply chain has prompted other organizations to adopt similar security measures. GitHub continues to refine its strategies to encourage more widespread use of 2FA, improve user experience through session and token binding, and promote the adoption of secure authenticators. As GitHub advances its security measures, the company hopes that more organizations will implement similar protections. As Hanley puts it, “Security that isn’t usable isn’t security at all,” underscoring the importance of accessible, effective security solutions in the tech industry.
#CyberSecurityNews #SoftwareSupplyChainNews #SoftwareDevelopment #ITSecurity #GitHubNews