GitHub’s Hardcore Plan to Roll Out Mandatory Two-Factor
WiredYou’ve heard the advice for years: Turn on two-factor authentication everywhere it’s offered. At the Black Hat security conference in Las Vegas yesterday, John Swanson, director of security strategy at GitHub, presented findings from the dominant software development platform's two-year effort to research, plan, and then start rolling out mandatory two-factor for all accounts. “There’s a lot of talk about exploits and zero days and build pipeline compromises in terms of the software supply chain, but at the end of the day, the easiest way to compromise the software supply chain is to compromise an individual developer or engineer,” Swanson told WIRED ahead of his conference presentation. “We believe that 2FA is a really impactful way to work on preventing that.” Companies like Apple and Google have made concerted efforts to push their massive user bases toward 2FA, but Swanson points out that companies with a hardware ecosystem, like phones and computers, in addition to software have more options for easing the transition for customers. GitHub also offers and more strongly promotes alternatives like using a code-generating authentication app, mobile push message-based authentication, or a hardware authentication token.