github announced Translation to a mandatory two -factor authentication of all users publish the code to github.com. At the first stage in March 2023, mandatory two -factor authentication will begin to be used for individual groups of users, gradually covering more and more new categories.
First of all, the change will affect developers publishing packages, OAUTH applications and GitHub-developers forming releases involved in the development of projects that are critical for NPM, OpenSSF, PYPI and RubyGEMS ecosystems, as well as involved in the work of four millions of the most Popular repositories. Until the end of 2023, GitHub intends to fully prohibit all users with the possibility of sending changes without the use of two -factor authentication. As the moment of transfer to two-factor authentication approaches users, email notifications will be sent and warnings are displayed in the interface.
The new requirement will enhance the protection of the development process and protect the repositories from making malicious changes as a result of leakage of the accounting data, using the same password on the compromised site, hacks of the developer’s local system or the use of social engineering methods. According to GitHub, receiving access to repositories as a result of capture of accounts is one of the most dangerous threats, since in the case of a successful attack, a substitution of hidden changes in popular products and libraries used as dependencies can be made.
You can additionally note beginning Providing all users of public repositories on GITHUB Free Service for Transfer of Random Publication of Privacy Data, such as encryption, passwords to DBMS and access to the API. In total, implemented more than 200 templates to identify various types of keys, tokens, certificates and accounting data. To exclude false works, only guaranteed types of tokens are guaranteed to be checked. Until the end of January, the possibility will be available only for participants in the beta-testing program, after which everyone will be able to use the service.