GitHub Touts 2FA Adoption Success, Looks Ahead to Further Adoption

GitHub today revealed that its initiative to get users to enable one or more forms of two-factor authentication (2FA) by the end of 2023 has been hugely successful. And it plans to increase adoption throughout 2024, both in sheer numbers and through the use of more secure factors.

“As the home to the world’s largest developer community, GitHub is in a unique position to help improve the security of the software supply chain,” GitHub’s Mike Hanley writes in the announcement post. “Because strong multi-factor authentication remains one of the best defenses against account takeover and subsequent supply chain compromise, we set an ambitious goal to require users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.”

GitHub in May 2022 announced its plans to require code contributors to enable 2FA by the end of 2023, and it added passkeys as a more seamless option in mid-2023. Indeed, in my experience, GitHub remains one of the best-ever passkeys implementations.

And so it is perhaps not surprising that GitHub’s initiative paid off nicely: Hanley reports that it witnessed a “dramatic” increase in 2FA adoption throughout 2023, with an opt-in rate of nearly 95 percent across all code contributors on the service. Its related plan to get contributors to adopt multiple 2FA methods, including more secure methods, has likewise been successful, with 1.4 million adopting passkeys. “Even more impressive,” he says, “passkeys rapidly overtook other forms of Webauthn-backed 2FA in day-to-day usage.”

Related to this, usage of less secure 2FA methods, most notably SMS, has dropped significantly as well, with 25 percent fewer contributors using this method one year after the start of the 2FA push. And 47 percent of GitHub users have now enrolled at least two different 2FA methods.

GitHub also worked to improve its 2FA onboarding flows, and the combination of this work and the availability of new methods led to a reduction in 2FA support tickets of 33 percent. And support tickets that require human intervention dropped 54 percent. The service also introduced a 2FA verification checkup that appears 28 days after initial 2FA enrollment so that users can make sure it’s working as expected. This failsafe helped 25 percent of users successfully reconfigure misconfigured 2FA setups.

Looking to the rest of this year, GitHub plans to expand the rollout of 2FA across its user base after first prioritizing high-value targets. It’s still evaluating the best ways to get more GitHub contributors on 2FA, and other security measures like session and token binding. But the general goal is to convince developers to “move up” to more secure authenticator types, like passkeys or security keys.

“Our work here shows that it’s possible to raise the bar for security significantly without negatively impacting users’ experiences,” Hanley concludes. “We encourage other organizations to strongly consider making 2FA requirements on their own platforms where possible.”

If you use GitHub, please consult its documentation for enabling 2FA on your account, adopting passkeys, and requiring 2FA in your organization.