GitHub has released the early results of its two-factor authentication (2FA) requirements for code contributors on GitHub.com–which was first announced in 2022 and rolled out across 2023–in efforts to secure developer accounts and prevent the next supply chain attack.

GitHub found that there has been a dramatic increase in 2FA adoption on GitHub.com, focused on users who have the most critical impact on the software supply chain. Moreover, users adopting more secure means of 2FA, including passkeys

They also recorded a net reduction in 2FA-related support ticket volume, credit to heavy up-front user research and design, as well as Support process improvements.

Additionaly, other organisations like RubyGems, PyPI, and AWS joined in raising the bar for the entire software supply chain, proving that large increases in 2FA adoption aren’t an insurmountable challenge

In May 2022, we introduced an initiative to raise the bar for supply chain security by addressing the first link in that chain–the security of developers. Because strong multi-factor authentication remains one of the best defenses against account takeover and subsequent supply chain compromise, we set an ambitious goal to require users who contribute code on GitHub.com to enable one or more forms of 2FA by the end of 2023,” Mike Hanley, Chief Security Officer at GitHub said. 

“What followed was a year’s worth of investments in research and design around the implementation of these requirements, to optimize for a seamless experience for developers, followed by a gradual rollout to ensure successful user onboarding as we continued to scale our requirements. While our efforts to ensure developers can be as secure as possible on GitHub.com don’t end here, today we’re sharing the results of the first phase of our 2FA enrollment, with a call for more organizations to implement similar requirements across their own platforms,” Hanley added.