Stories
Slash Boxes
Comments

SoylentNews is people

GitHub to Require Two Factor Authentication for Code Contributors by Late 2023

posted by janrinok on Friday May 06 2022, @01:47PM   Printer-friendly

An Anonymous Coward writes:

Code locker has figured out it's a giant honeypot for miscreants planning supply chain attacks

GitHub has announced that it will require two factor authentication for users who contribute code on its service.

"The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."

Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds' Orion monitoring tool and used it to gain access to over 18,000 companies. GitHub has also had its own problems, such as when access to npm was compromised.

Hence its decision to require 2FA "by the end of 2023" for users who commit code, open or merge pull requests, use Actions, or publish packages. GitHub already offers 2FA, requires contributors of popular packages (including npm) to employ it, and states that 16.5 per cent of active users already employ the technique.

Original Submission

 
This discussion has been archived. No new comments can be posted.
GitHub to Require Two Factor Authentication for Code Contributors by Late 2023 | Log In/Create an Account | Top | 31 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Friday May 06 2022, @02:01PM (6 children)

    by Anonymous Coward on Friday May 06 2022, @02:01PM (#1242764)

    First they go and break compatibility with Pale Moon, now they're tryin' to get me to press more buttons than `git push` requires?

    It's not like a self-hosted Gitea doesn't do everything I wanted from GitHub and more. Which is mostly just a git-lfs implementation.

    Starting Score:    0  points
    Moderation   +1  
       Flamebait=1, Insightful=1, Informative=1, Total=3
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 2, Informative) by Anonymous Coward on Friday May 06 2022, @02:06PM (4 children)

    by Anonymous Coward on Friday May 06 2022, @02:06PM (#1242765)

    It's owned by Microsoft, the solution will never be actual security when they can grab credentials under false pretense for a Microsoft owned single sign-on service.

    • (Score: 2, Informative) by Anonymous Coward on Friday May 06 2022, @02:22PM (3 children)

      by Anonymous Coward on Friday May 06 2022, @02:22PM (#1242766)

      It's a joint project with Google and Apple. When those three agree on something, you know it's going to be bad for the users.

      https://arstechnica.com/gadgets/2022/05/apple-google-and-microsoft-want-bluetooth-proximity-to-replace-the-password/ [arstechnica.com]

      • (Score: 0) by Anonymous Coward on Friday May 06 2022, @05:58PM (2 children)

        by Anonymous Coward on Friday May 06 2022, @05:58PM (#1242810)

        Am I the only person who insists bluetooth is disabled on all my devices, at all times?

        • (Score: 0) by Anonymous Coward on Friday May 06 2022, @06:47PM

          by Anonymous Coward on Friday May 06 2022, @06:47PM (#1242831)

          No. Complete waste of power if you aren't using it.

        • (Score: 2) by FatPhil on Saturday May 07 2022, @12:28PM

          by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Saturday May 07 2022, @12:28PM (#1242980) Homepage
          #YouAreNotAlone
          --
          Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

  • (Score: 0) by Anonymous Coward on Friday May 06 2022, @10:21PM

    by Anonymous Coward on Friday May 06 2022, @10:21PM (#1242882)

    You're misunderstanding the purpose of github. It's a social network, and like every social network for the hip and trendy its goal is to milk the tasty luserbase data and sell it to the highest bidder. 2FA is just another way to milk data, which is why it's typically only all the usual suspects in such matters who insist on requiring it.