Security Policy Briefing — GitHub Mandates Two-Factor Authentication
GitHub announced on May 4, 2022 that contributors to code on GitHub.com must enable two-factor authentication by the end of 2023, raising the baseline for supply-chain security across the open-source ecosystem.
Executive briefing: On GitHub announced a platform-wide initiative requiring all developers who contribute code to enable two-factor authentication (2FA) by the end of 2023. The mandate aims to curb account takeovers and protect software supply chains dependent on GitHub repositories.
Policy highlights
- Staged enforcement. GitHub staged enforcement waves, notifying maintainers and contributors via email and in-product messaging prior to mandatory enablement windows.
- Broad coverage. The requirement applies to maintainers of npm packages and all contributors to GitHub-hosted code, extending earlier 2FA requirements for npm publishers.
- Modern authentication methods. Users can satisfy the mandate with security keys, authenticator apps, GitHub Mobile, or passkeys.
Implementation guidance
- Developer onboarding. Update joiner/mover/leaver processes to enforce hardware token issuance or approved authenticator applications before repository access is granted.
- Monitoring. Track enforcement cohorts and automate compliance checks through the GitHub REST/GraphQL APIs to ensure contributors enable 2FA before deadlines.
- Incident response. Review account recovery procedures and ensure backup authentication methods are documented for regulated workloads.
Enablement moves
- Communicate the roadmap to internal maintainers and open-source collaborators, providing hardware security keys where appropriate.
- Integrate 2FA status into vendor risk assessments for third-party development partners.
- Align GitHub identity policies with enterprise IAM platforms and conditional access controls.