GitHub’s Hardcore Plan to Roll Out Two-Factor Authentication (2FA)

You’ve heard the advice for years: Turn on two-factor authentication everywhere it’s offered. It’s long been clear that using only a username and password to secure digital accounts isn’t enough. But layering on an additional authentication “factor”—like a randomly generated code or a physical token—makes the keys to your kingdom much tougher to guess or steal. And the stakes are high for both individuals and institutions trying to protect their valuable and sensitive networks and data from targeted hacking or opportunist criminals.

Even with all its benefits, though, it often takes a little tough love to get people to actually turn on two-factor authentication, often known as 2FA. At the Black Hat security conference in Las Vegas yesterday, John Swanson, director of security strategy at GitHub, presented findings from the dominant software development platform’s two-year effort to research, plan, and then start rolling out mandatory two-factor for all accounts. And the effort has taken on ever-increasing urgency as software supply chain attacks proliferate and threats to the software development ecosystem grow.

“There’s a lot of talk about exploits and zero days and build pipeline compromises in terms of the software supply chain, but at the end of the day, the easiest way to compromise the software supply chain is to compromise an individual developer or engineer,” Swanson told WIRED ahead of his conference presentation. “We believe that 2FA is a really impactful way to work on preventing that.”

Companies like Apple and Google have made concerted efforts to push their massive user bases toward 2FA, but Swanson points out that companies with a hardware ecosystem, like phones and computers, in addition to software have more options for easing the transition for customers. Web platforms like GitHub need to use tailored strategies to make sure two-factor isn’t too onerous for users all over the world who all have different circumstances and resources.

For example, receiving randomly generated codes for two-factor via SMS text messages is less secure than generating those codes in a dedicated mobile app, because attackers have methods for compromising targets’ phone numbers and intercepting their text messages. Primarily as a cost-saving measure, companies like X, formerly known as Twitter, have curtailed their SMS two-factor offerings. But Swanson says that he and his GitHub colleagues studied the choice carefully and concluded that it was more important to offer multiple two-factor options than to take a hard line on SMS code delivery. Any second factor is better than nothing. GitHub also offers and more strongly promotes alternatives like using a code-generating authentication app, mobile push message-based authentication, or a hardware authentication token. The company also recently added support for passkeys.

The bottom line is that, one way or another, all 100 million GitHub users are going to end up turning on 2FA if they haven’t already. Before starting the rollout, Swanson and his team spent significant time studying the two-factor user experience. They overhauled the onboarding flow to make it harder for users to misconfigure their two-factor, a leading cause of customers getting locked out of their accounts. The process included more emphasis on things like downloading backup recovery codes so people have a safety net to get into their accounts if they lose access. The company also examined its support capacity to ensure that it could field questions and concerns smoothly.