"The software supply chain starts with developers. Social engineering and account attack campaigns often target developer accounts, so protecting developers from such attacks is the first and most critical step in securing the software supply chain. On May 4, local time, Mike Hanley, chief security officer of GitHub, announced GitHub's new policy in a blog: by the end of 2023, all users who contribute code on GitHub.com need to enable at least one form of two-factor authentication (2FA).
While two-factor authentication provides important additional protection for online accounts, internal research from GitHub shows that only about 16.5 percent of active users and 6.44 percent of npm users currently have enhanced security measures enabled on their accounts.
GitHub is a code hosting platform used by tens of millions of software developers worldwide. Hanley writes, "GitHub is in a unique position where, with the vast majority of the open source and creator communities on the GitHub.com alone, we can have a significant positive impact on the security of the entire ecosystem by raising security standards." ”
Securing open source software remains a pressing concern for the software industry, especially after the log4j vulnerability, a major security threat to global computer networks, was met last year, when businesses and governments competed. But while GitHub's new policy will mitigate some threats, systemic challenges remain: Many open source software projects are still maintained by pro bono volunteers, and closing the funding gap has long been seen as a major concern for the entire tech industry.
What is two-factor authentication? Why does GitHub think account security and two-factor authentication are important?
Two-factor authentication conceptual diagram
2FA (2 Factor Authentication) refers to the simultaneous authentication of two factors in three factors: secret information (password, etc.), personal belongings (ID card, etc.), and physiological characteristics (fingerprint/iris/face, etc.).
Hanley writes, "Most security vulnerabilities are not the product of rare Zero-day attacks that take full advantage of previously unknown vulnerabilities, but come from many low-cost attacks, such as social engineering, credential theft, or disclosure, and many other avenues that provide attackers with broad access to the victim's account and all their resources." Compromised accounts can be used to steal private code or push malicious changes onto that code. Not only will this put individuals and organizations associated with the compromised account at risk, but all users who use the affected code will be exposed to a risky environment. As a result, such an attack could have a huge impact on the broader software ecosystem and downstream of the supply chain. ”
That's why two-factor authentication can be an effective mechanism for securing business-critical systems, because it means that if bad actors get private login credentials, it's much harder to leverage them.
If you want to understand it more intuitively, then you can think about what is the hidden danger of authenticating with only accounts and passwords?
On the Internet, a large number of websites are hacked every day to cause data to be leaked, including the user's account password. Once they have their account passwords, hackers can use them to try to log in to other websites, known as "password stuffing."
Then in order to prevent password collision, the website will take more measures to verify identity information, such as GitHub's two-factor authentication, login alerts, device authentication, and anti-disclosure of passwords.
GitHub revealed that in November 2021, some developer accounts that did not have 2FA enabled were compromised, resulting in many npm packages (Node Package Manager) being taken over by intruders, for which GitHub promised to invest more resources in npm account security.
GitHub believes that the best defense against this attack is to upgrade the original password-based basic authentication method. "GitHub has taken a step in this direction, deprecating basic authentication for git operations and our API and requiring email-based device authentication to be added to the username and password. 2FA is the next line of defense. Hanley wrote.
In the coming months, GitHub will share more details and timelines for mandatory GitHub.com users to upgrade to 2FA.