
We updated our RSA SSH host key
At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com.
On March 13, we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. Read on to learn about what the process entails and how you can help secure the software supply chain with 2FA.
Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA) by the end of 2023.
GitHub is central to the software supply chain, and securing the software supply chain starts with the developer. Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security. Developers’ accounts are frequent targets for social engineering and account takeover (ATO). Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain.
Over the course of the next year, we’ll be reaching out to groups of developers and administrators, starting with smaller groups on March 13, to notify them of their 2FA enrollment requirement. This gradual rollout will let us make sure developers are able to successfully onboard, and make adjustments as needed before we scale to larger groups as the year progresses.
If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You’ll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders. We’ll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com. You’ll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don’t worry: this snooze period only starts once you’ve signed in after the deadline, so if you’re on vacation or out of office, you’ll still get that one week period to set up 2FA when you’re back at your desk.
So, what if you’re not in an early enrollment group but you want to get started? Click here and follow a few easy steps to enroll in 2FA.
We want enrolling your GitHub account in 2FA to be as easy as possible, using methods that are reliable and secure so you always have access to your account (and no one else does!). To prepare for this program we’ve been busy enhancing that experience. Here are a few of the highlights:
Lastly, we’re already testing passkeys internally, which we believe will combine ease of use with strong, phishing-resistant authentication. Keep an eye on this space for when this functionality is ready for you.
GitHub has designed a rollout process intended to both minimize unexpected interruptions and productivity loss for users and prevent account lockouts. Groups of users will be asked to enable 2FA over time, each group selected based on the actions they’ve taken or the code they’ve contributed to.
If your project takes off or you become the maintainer of a critical repository, you might suddenly qualify for a group that’s already begun their enrollment timeline. If that happens, you’ll start your 45 day period the next day, following the same timeline described above.
Open source software is ubiquitous, with 90 percent of companies reporting that they use open source in their proprietary software. GitHub is a critical part of the open source ecosystem, which is why we take ensuring account security seriously. Strong authentication and the use of 2FA have been recognized as best practice for many years, so we feel that GitHub has a duty to expand this best practice as part of protecting the software supply chain.
Most importantly, though, we can’t improve the security of the software supply chain without you. We thank you in advance for your support, and for enrolling your GitHub account in 2FA to make open source software more secure for all.