In a blog post today, GitHub announced that it will require all developers who contribute code to the platform to enable two-factor authentication (2FA), effective March 13 of this year.
Regarding requiring developers to use 2FA, GitHub believes that it is necessary to protect the security of software development and the supply chain. The content of some blog posts translated is as follows:
"GitHub is at the heart of the software supply chain, and securing the software supply chain starts with protecting developers. That's why we're advancing our 2FA program to protect software development by improving account security. Developer accounts are a common target for social engineering and account takeover (ATO). Protecting developers and consumers of the open-source ecosystem from such attacks is the first and most critical step in securing the supply chain."
GitHub says it will roll out the 2FA requirement incrementally, starting with developers and administrators. These users will receive an email alert and see a banner on GitHub on the web. Developers have 45 days to set up 2FA, after which there will be a one-week buffer period, and account access will be restricted if the developer has not set up 2FA.