Starting on March 13th, GitHub is embarking on a campaign of getting every user enrolled in two-factor authentication for their login. Rather than trying to do it all at once, they are selecting small groups of developer accounts to target, sending them emails and displaying a banner notification when a user logs in.
Targeted accounts will have 45 days to enroll before being forced to enable 2FA on their next login. GitHub supports TOTP, security keys, and SMS-based factors. While they recommend using TOTP or security keys over SMS, they don’t put SMS behind a paywall, unlike Twitter. You can also set up multiple second factors and select which is your preferred method. Additionally, GitHub is testing the use of passkeys for integration later this year.
Considering the staggering amount of important code that lives on GitHub, I’m surprised it took them this long to roll out the 2FA requirement. Other sites should take notice and enable similar policies, helping make our web a little safer.