GitHub announced the start of a phased transition of all users who publish code to mandatory two-factor authentication. Starting March 13, mandatory two-factor authentication will be applied for certain user groups, gradually covering more and more new categories. First of all, two-factor authentication will become mandatory for developers who publish packages, OAuth applications and GitHub handlers, form releases, participate in the development of projects critical to the npm, OpenSSF, PyPI and RubyGems ecosystems, as well as those involved in work on four million of the most popular repositories.
Until the end of 2023, GitHub will no longer be able to push changes without using two-factor authentication for all users. As the moment of transition to two-factor authentication approaches, users will be sent email notifications and warnings will be displayed in the interface. After sending the first warning, the developer is given 45 days to set up two-factor authentication.
For two-factor authentication, you can use the mobile app, SMS verification, or attaching a passkey. Apps that generate one-time passwords with a limited expiration date (TOTP), such as Authy, Google Authenticator, and FreeOTP, are recommended as a priority for two-factor authentication.
The use of two-factor authentication will increase the security of the development process and secure repositories from making malicious changes as a result of leaked credentials, using the same password on a compromised site, hacking the developer's local system, or using social engineering methods. According to GitHub, gaining access to repositories by attackers as a result of account hijacking is one of the most dangerous threats, since in the event of a successful attack, malicious changes can be made to popular products and libraries used as dependencies.
Source: opennet.ru