GitHub has issued a warning to its users, notifying them that starting January 19th, 2024, contributors of code on GitHub.com must enable two-factor authentication (2FA) on their accounts. In emails sent on Christmas Eve, GitHub informed users that failure to enable 2FA by the specified date would lead to limited functionality on the site. The decision to enforce 2FA is aimed at bolstering account security and preventing unauthorized access or code alterations, especially in the context of supply chain attacks.
The requirement applies specifically to GitHub.com and not to business or enterprise accounts. GitHub emphasized the significance of this change for users who write or manage code on the platform. Users failing to set up 2FA by the deadline will experience restricted access, with GitHub providing instructions to facilitate the configuration process. After the January 19th deadline, users attempting to access GitHub.com without 2FA will be automatically directed to complete the setup.
GitHub offers various methods for enabling 2FA, catering to user preferences, including security keys, GitHub Mobile, authenticator apps (TOTP), and SMS text messages. To ensure continuous access, it is recommended that users activate at least two of these methods. Even after 2FA becomes mandatory, existing Personal Access Tokens, SSH keys, and apps will continue to work. However, users will need to enable 2FA on their accounts to create new tokens or modify account settings.
In its communication to users, GitHub suggests having more than one 2FA method as a precaution, stating that it “may not be able to restore access to accounts with 2FA enabled if you lose your 2FA credentials.” If users lose all 2FA options, the only way to regain access is through recovery codes. GitHub’s move to enforce 2FA reflects the platform’s commitment to enhancing security measures and protecting the integrity of code repositories against potential security threats.
