GitHub has publicised the initial outcomes of its two-factor authentication (2FA) prerequisites for code contributors, implemented as a measure against potential supply chain attacks. Following a year of extensive research, design input, and major developer enrolments in the initiative, 2023 saw notable advances in security measures.

The most dramatic achievement was an upsurge in 2FA adoption on the GitHub.com platform, emphasising users with the most significant impact on the software supply chain. Evidence also revealed heightened use of highly secure 2FA means, such as passkeys, effortlessly displacing other forms of Webauthn-aided 2FA. Surprisingly, there was a net reduction in 2FA-related support ticket numbers attributed to extensive user-focused research and design initiatives and support-process enhancements. Highlighting the success, organisations as diverse as RubyGems, PyPI, AWS, and others joined GitHub in raising security standards, leading to large increases in 2FA adoption rates throughout the software supply chain.

Chief Security Officer at GitHub, Mike Hanley, voiced his satisfaction at this response, stating: "Preventing the next cyberattack depends on getting the security basics right... efforts to secure the software ecosystem must protect the developers who design, build, and maintain the software we all depend on." He emphasized the requirement for the strongest multi-factor authentication to guard against account usurpation and subsequent supply chain compromise. Consequently, Hanley claimed that GitHub's unique position in the world market allowed it to contribute significantly to improving supply chain security through its two-factor authentication initiative.

Unveiled in 2023, GitHub's mandatory 2FA initiative saw an almost 95% take-up rate among code contributors, resulting in a 54% increase in 2FA adoption among all active contributors on GitHub.com. Encouraging users to sign up for passkey use, the option offering the most security in combination with usability, was a primary initiative focus. The success of GitHub's passkeys cannot be understated, with nearly 1.4 million registered on GitHub.com by early 2024. Although maintaining support for SMS as a viable 2FA option was crucial, deliberate design strategies encouraged users to adopt more secure options when feasible. Therefore, the total share of SMS as a second factor declined nearly 23% between early 2023 and early 2024.

E considerable improvement in the enrolment experience and passkey rollout data highlighted an almost 50% probability of users configuring two or more 2FA forms. Each added factor considerably diminished the likelihood of a user losing all their factors and becoming locked out, resulting in an even, reliable user experience. Furthermore, substantial investment in 2FA onboarding workflows and various design enhancements resulted in a one-third decrease in 2FA-related support tickets.

While the primary focus was to secure developers on GitHub.com, the effects of the 2FA implementation had far-reaching effects on the software supply chain, prompting other organisations to adopt similar measures. Despite these successes, GitHub continues to press forward, exploring how to encourage more users to embrace 2FA, enhancing user experience through session and token binding, and driving the adoption of more secure authenticators. As GitHub continues to strive for improved security, the company hopes more organisations will follow suit. As Hanley asserts, "Security that isn’t usable isn’t security at all."