GitHub will require all code contributors to use two-factor authentication

Illustration by Alex Castro / The Verge

In order to continue using the platform, all users will need to enable one or more forms of two-factor authentication by the end of the year.

The new policy was announced in a post by Mike Hanley, the chief security officer at the Microsoft-owned platform.

Hanley wrote that the software supply chain starts with the developer.

Even though multi-factor authentication provides significant additional protection to online accounts, only a small percentage of active users currently enable the enhanced security measures on their accounts.

By steering these users towards a higher minimum standard of account protection, GitHub hopes to boost the overall security of the software development community as a whole.

The vast majority of open source and creator communities live on GitHub.com, so we can have a positive impact on the security of the overallecosystem by raising the bar from a security hygiene perspective.

In order to establish a precedent for the mandatory use of 2FA with a smaller subset of platform users, the developers of popular JavaScript libraries have been trialing it with the package management software NPM. NPM packages can be downloaded millions of times per week, which makes them an attractive target for criminals. In some cases, NPM contributor accounts were compromised by hackers and they used them to publish software updates that installed password stealers.

The maintainers of the 100 most popular NPM packages were made to use two-factor authentication. The requirements for contributors to the top 500 packages will be extended by the end of May.

Hanley said that the small trial will help smooth out the process of rolling out 2FA across the platform.

Hanley said that setting a long lead time for making the use of 2FA mandatory site-wide, and designing a range of onboarding flows to get users to adopt well before the deadline is important.

Last year's log4j vulnerability is a concern for the software industry. Many open source software projects are still maintained by volunteers, and closing the funding gap is seen as a major problem for the tech industry as a whole.