GitHub intends to strengthen the security of its users by implementing 2FA
Starting next week, GitHub will require active developers in the place enable at least one form of authentication of two factors (2FA). The security initiative began on March 13 with specially selected groups of developers and administrators.
Until the end of the year, GitHub will begin notifying those selected on the requirement to use two-factor authentication. As the year progresses, more and more users will be forced to enable two-factor authentication.
In releasing the new security measures, GitHub states:
"On March 13, we will officially begin rolling out our initiative to require all developers contributing code to GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023."
GitHub will show a notification banner on thes accounts selected to participate in the program, notifying them the need to enable two-factor authentication within 45 days. On the day of the deadline, people who have been selected but have not yet completed the 2FA activation form will be prompted daily to do so.
if authentication two-factor is not enabled one week after the deadline, access will be removed to the GitHub feature until it is enabled.
GitHub say what is making several changes to the "experience" 2FA to ease the transition:
- Second factor validation after 2FA setup.
This is intended to ensure that GitHub users who have configured 2FA will see a message after 28 days asking them to run 2FA and confirm the second factor configuration. This notice helps prevent account lockout due to misconfigured authenticator apps (TOTP apps). If 2FA authentication cannot be performed, a shortcut will allow you to reset the 2FA authentication settings without getting your account locked. - Inscribe second factors
With this change, it is intended that not only one 2FA method will be implemented, but rather that you can have more, in addition to making them more accessible to guarantee that you always have access to the account.You can now have an authenticator app (TOTP) and SMS number registered to your account. While we recommend using security keys and your TOTP app via SMS, allowing both methods at the same time helps reduce account lockout by providing another accessible and understandable 2FA option that developers can enable;
- Choice of preferred 2FA method.
The new preferred option allows the user to configure their preferred 2FA method to log in to the account and use the sudo prompt, so your preferred method is always asked first at login. You can choose between TOTP, SMS, security keys or GitHub Mobile as the preferred 2FA method. In addition to that it is strongly recommended to use security keys and TOTP whenever possible. SMS 2FA does not offer the same level of protection and is no longer recommended by NIST 800-63B. The most powerful methods available are those that support the WebAuthn secure authentication standard. These methods include physical security keys, - Email unlinking in case of 2FA blocking.
Since accounts on GitHub must have a unique email address, blocked users have a hard time creating a new account with their preferred email address, which all their commits point to. With this feature, dr can now unlink your email address from a two-factor GitHub account in case you can't log in or recover it. If you can't find an SSH key, PAT key, or device previously connected to GitHub to recover your account, it's easy to start fresh with a new GitHub.com account and keep your contribution graph green.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link