← Back to all briefings
Developer 5 min read Published Updated Credibility 90/100

Security Policy Briefing — GitHub Mandates Two-Factor Authentication

GitHub’s May 2022 announcement requires every active contributor to enable two-factor authentication by end-2023, prompting organisations to audit accounts, update governance, and support developers through hardware- or app-based enrollment.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 4 May 2022 GitHub announced that every user contributing code on GitHub.com must enable two-factor authentication (2FA) by the end of 2023. The phased rollout begins with maintainers of the top-100 npm packages, expands to GitHub’s “maintainer cohort” in 2022, and ultimately reaches all active contributors—including those managing issues, pull requests, or package releases. The mandate aims to protect the software supply chain after high-profile attacks, complementing GitHub’s existing security requirements for package publishers.

Operational priorities

Organisations relying on GitHub for source control must audit account security posture. Use GitHub Enterprise Cloud’s built-in reports (Security > Authentication security) or the REST/GraphQL APIs to list users without 2FA. For open-source maintainers, review collaborator lists on public repositories and remove dormant accounts to minimise enforcement friction. Developers who authenticate via single sign-on (SSO) through GitHub Enterprise Managed Users or SAML SSO still need to configure a GitHub 2FA method (TOTP app, security key, or SMS fallback) because personal access tokens, SSH keys, and API calls inherit 2FA status.

Plan for support processes when GitHub begins enforcing 2FA for cohorts. GitHub will notify targeted users 45 days before enforcement; accounts failing to enable 2FA will be blocked from contributing until setup is complete. Prepare communication templates, internal FAQs, and helpdesk workflows guiding developers through enrollment, backup code storage, and recovery. Encourage use of phishing-resistant authenticators—WebAuthn security keys or platform authenticators (Windows Hello, Touch ID)—especially for privileged roles such as organisation owners, repository admins, and package publishers.

Governance and policy alignment

Update access management policies to codify GitHub’s 2FA requirement. Boards and cybersecurity committees should treat the mandate as part of broader supply chain risk mitigation, aligning with standards such as NIST SP 800-218 (Secure Software Development Framework) and Executive Order 14028 directives. Document the requirement in secure development lifecycle playbooks and vendor management policies, noting that third-party contractors must comply before accessing repositories.

For regulated industries (financial services, healthcare, public sector), map the mandate to existing controls—e.g., PCI DSS Requirement 8 for multi-factor authentication, ISO/IEC 27001 Annex A.9, or SOC 2 CC6. Use compliance evidence from GitHub’s audit logs (available via the REST API or streaming to SIEMs through GitHub Enterprise Audit Log Streaming) to demonstrate enforcement. Consider implementing GitHub’s mandatory 2FA setting at the organisation level; while GitHub’s platform-wide mandate will enforce user-level compliance eventually, enabling the org-level control provides earlier assurance.

Developer experience and tooling

Ensure development tooling accommodates 2FA-enabled accounts. Personal access tokens (PATs), SSH keys, and Git credential helpers continue to work, but newly created PATs should use fine-grained scopes and expiration dates. For automation, migrate to GitHub Apps or GitHub Actions service accounts that rely on GitHub’s token issuance rather than user PATs. Review third-party integrations (CI pipelines, code quality tools) for embedded PATs tied to users; replace them with GitHub Apps or organisation-level tokens to avoid disruption when individual accounts are blocked.

Support developers on platforms with limited authenticator options. Provide guidance on installing authenticator apps (1Password, Authy, Microsoft Authenticator) on corporate-managed devices. For remote teams, ensure hardware security keys can be shipped and enrolled securely. Establish recovery processes for lost devices—GitHub allows recovery via saved codes, SMS, or support tickets. Encourage storing recovery codes in password managers with secure sharing features, and maintain a playbook for verifying user identity during support interactions.

Sourcing and contributor management

Open-source programmes and inner-source initiatives should notify external contributors about the requirement. Update contribution guidelines, READMEs, and project websites to emphasise that 2FA is mandatory for continued collaboration. For corporate-sponsored open source, coordinate with legal teams to ensure contributor license agreements and governance models accommodate 2FA enforcement, particularly when removing non-compliant maintainers from critical repositories.

Vendors providing development tooling or managed services that interact with GitHub must also adjust onboarding to account for 2FA. Managed service providers should verify that their engineers’ GitHub accounts meet the requirement and that support escalations include hardware token logistics. When engaging external consultants, include 2FA compliance in contract clauses and require proof of enrollment (e.g., screenshot or attestation) before granting repository access.

Integration with broader security initiatives

GitHub’s mandate aligns with other supply chain safeguards: npm requires 2FA for high-impact package maintainers, GitHub Advanced Security offers secret scanning and code scanning, and Sigstore-backed features support signing releases. Organisations should integrate 2FA enforcement into secure software development programmes—combining identity hardening with dependency review, vulnerability management, and build pipeline integrity. Track metrics such as percentage of contributors with hardware keys, number of blocked accounts during enforcement waves, and mean time to remediate access issues.

Coordinate with corporate identity providers to enforce phishing-resistant MFA across systems. Where possible, leverage conditional access policies to require hardware-backed authentication for GitHub access. Evaluate FIDO2 security key management platforms (YubiEnterprise, Google Titan, Feitian) that support inventory tracking, lifecycle management, and integration with other enterprise services.

Training and change management

Effective rollout requires deliberate change management. Incorporate 2FA training into secure coding curricula, onboarding bootcamps, and quarterly security awareness campaigns. Provide multilingual materials and video walk-throughs to support global developer populations. Capture feedback through retrospectives after each enforcement wave, refining documentation, device provisioning, and recovery practices. Recognise early adopters and security champions who help peers enroll, reinforcing positive culture change.

Timeline and monitoring

GitHub’s rollout spans 2022–2023. Initial enforcement targeted maintainers of the top npm packages in May 2022, expanding to GitHub-owned organisations and high-impact projects through the year. By the end of 2023 all users who commit code, open pull requests, or publish packages must have 2FA enabled. Monitor GitHub’s public roadmap, blog updates, and maintainer communications for specific cohort timelines. Organisations using GitHub Enterprise Server should note that the mandate applies to GitHub.com accounts; however, similar best practices should be adopted for self-hosted environments, leveraging SAML/LDAP integrations and hardware token policies.

Establish dashboards and alerts that flag users approaching enforcement deadlines. Use GitHub Actions or scheduled scripts to poll the Users API for 2FA status, sending reminders via chat or email. During enforcement, provide near-real-time support channels (Slack, Teams) staffed by developer productivity teams to resolve enrollment issues quickly. After full rollout, integrate 2FA verification into onboarding checklists and periodic access reviews to maintain compliance.

By treating GitHub’s two-factor authentication mandate as a catalyst for stronger identity assurance, organisations can reduce account takeover risk, strengthen supply chain security, and demonstrate commitment to industry-leading development practices.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • GitHub
  • Two-factor authentication
  • Software supply chain
  • Identity security
Back to curated briefings