Here are some live news that is still long overdue but still important: by the end of 2023, GitHub will need all users to add code to the site to be able to access one or more versions two-factor verification (2FA).
And that is very good news. Today, Microsoft owns only 16.5 percent of active GitHub users and 6.44 percent npm users use 2FA. That is not so much really less than I expected.
“Hacked accounts can be used to steal private code or push malicious changes into that code. This puts individuals and organizations at risk for hacked accounts, but also any user affected by the code. The extensive software environment and the resulting supply chain are significant, ”Mike Hanley, GitHub’s Chief Security Officer, wrote in a statement today.
He also noted that the company is trying to ensure that the extra layer of security does not come at the expense of user experience. Therefore, the long time between announcing today and when it will implement this. “The end of our 2023 target gives us a chance to improve on this,” Hanley explained. Converting to 2FA involves some changes to the user experience both in the command line and the GitHub web interface
It is noteworthy that earlier this year, GitHub also registered a 100-npm high-band 2FA compliant package protectors to prevent software supply chain attacks. It plans to expand to the top 500 packs this month and then expand to all packages with more than 500 connected or 1 million weekly downloads.