Mandatory MFA pays off for GitHub and OSS community

Mandating multifactor authentication for select developers has been a huge success for GitHub, the platform reports, and now it wants to go further

Alex Scroxton,
Security Editor

Published: 24 Apr 2024 20:18

Introducing a multifactor authentication (MFA) mandate for users of its platform has paid off for GitHub, which has reported a massive uplift in adoption in the past 12 months, as it continues its drive to improve cyber security standards across the open source software (OSS) community.

Recognising the security impact of software supply chain issues on thousands of organisations worldwide that were compromised through issues arising through insecure OSS code – the Log4Shell incident being arguably the most infamous – GitHub embarked on a drive to raise the bar for supply chain security by addressing developers in May 2022.

It introduced mandatory MFA for selected users in March 2023 as part of that, focusing at first on those considered to have the most critical impact on the software supply chain.

In the past 12 months, the platform said it has seen an opt-in rate of 95% across code contributors who received the MFA requirement, with enrolments still trickling in today. More widely, it added, it has seen a 54% increase in MFA adoption among all active contributors to GitHub-hosted projects.

“Though technology has advanced significantly to combat the proliferation of sophisticated security threats, the reality is that preventing the next cyber attack depends on getting the security basics right, and efforts to secure the software ecosystem must protect the developers who design, build, and maintain the software we all depend on,” wrote Mike Hanley, chief security officer and senior vice president of engineering at GitHub.

“As the home to the world’s largest developer community, GitHub is in a unique position to help improve the security of the software supply chain…strong MFA remains one of the best defences against account takeover and subsequent supply chain compromise.”

In addition to driving developers towards better basic cyber hygiene, GitHub said it has also seen users adopting more secure means of MFA – including passkeys, the introduction of which was a key focus of the initiative; it has registered 1.4 million passkeys on GitHub.com since opening a public beta in July 2023 and the technology has quickly overtaken other forms of Webauthn-backed MFA in day-to-day usage on the platform.

In the interests of flexibility it does continue to offer less secure forms of MFA, such as SMS codes, for the time being, although Hanley said GitHub had tried to make its MFA onboarding workflows nudge people away from SMS as a choice.

GitHub also reported a net reduction in MFA-related support ticket volumes, which it credits to heavy upfront user research and design, as well as some backend support process improvements it has made.

Additionally, said Hanley, other OSS leaders are also getting involved. “Organisations like RubyGems, PyPI, and AWS joined us in raising the bar for the entire software supply chain, proving that large increases in MFA adoption aren’t an insurmountable challenge,” he wrote.

Call to action

Looking ahead, Hanley said that the scope of the project has up to now prioritised specific user groups based on their privileges and actions, but stressed that GitHub is keen to explore how it can require more users to enrol in the next 12 months, and encouraging developers to move up the food chain to more secure factors such as passkeys, while maintaining the user experience.

It is also investigating implementing other account security features such as session and token binding that could enable users to manage the risk of account compromise more effectively regardless of whether or not they have enrolled in MFA. Hanley said there was still much work to be done to support users who may not be able to access a smartphone or who do not have control over the software on the computer they are using to adopt MFA.

“As a global platform, we believe that everyone should have access to tools that make software development easier and more secure, and our efforts to enforce strong authentication for as many developers as possible is ongoing,” said Hanley.

“We’ll continue to find solutions to protect developers, the projects they’re working on, and the communities they participate in, working hard to take a balanced approach that greatly improves the security of the entire software supply chain without restricting those with different setups or environments around the world,” he said.

Marking the one-year anniversary of the start of the MFA mandate, GitHub said it was clear that it was in fact possible to raise the bar for security without negatively affecting user experience, and is encouraging its peers and the wider industry to strongly consider making MFA a compulsory requirement on their platforms.

Read more on Application security and coding requirements

How passwordless helps guard against AI-enhanced attacks