GitHub will require two-factor authentication for all active users starting in 2023

Starting late next year, GitHub will require two-factor authentication for developers who actively contribute code to the platform. The obligation will be phased in over the course of the year.

GitHub wants the commitment apply at the end of 2023 for every active developer on the platform. By then, users will need to enable one or more forms of multifactor authentication in their account.

The platform divides users into groups. From March, the platform will gradually ask those groups to set up 2fa for their account. GitHub explicitly does not want to explain how users are classified into those groups or in which group a user ends up, but the company uses at least five criteria for this:

• users who have published GitHub or OAuth apps or packages;
• users who have created a release repo;
• enterprise and organization admins;
• users who have contributed code to repos identified as important by npm, OpenSSD, PyPI, or RubyGems;
• users who have contributed code to the approximately four million largest public and private repos.

GitHub will look at how the rollout of the 2fa obligation is going for each cohort and adjust the process accordingly. That will start in March next year. The process should be completed by the end of 2023.

Users will receive 45-day advance warnings about the commitment via GitHub and via email. If users ignore it, they will receive a notification every time they enter the platform from the day the obligation becomes active for them. They can put it aside for a week, after which their account becomes inaccessible until two-factor authentication is activated. Users can deploy a totp code or SMS to secure their account. They can also use a security key, but only in combination with a totp code.