RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research
Why RL Built Spectra Assure Community

Why RL Built Spectra Assure Community

We set out to help dev and AppSec teams secure the village: OSS dependencies, malware, more. Learn how.

Read More about Why RL Built Spectra Assure Community
Why RL Built Spectra Assure Community

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

AppSec & Supply Chain SecurityMarch 15, 2023

GitHub enforces 2FA — it’s about time (given the state of supply chain security)

GitHub just got a little safer, by finally forcing users into two-factor authentication. What took you so long, Microsoft?

Richi Jennings
Richi Jennings, Independent industry analyst, editor, and content strategist.Richi Jennings
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
sleek security officer wearing sunglasses

GitHub is a weak link in the software supply chain. Finally, Microsoft is doing something about it — by forcing users into two-factor authentication (2FA).

Unfortunately, SMS is still an option, but at least you don’t have to use it. WebAuthn keys and TOTP are where you should be looking, plus there’s a dedicated GitHub app. Passkeys support isn’t there yet, but it’s “coming soon.”

No need to wait until you’re forced. In this week’s Secure Software Blogwatch, we set it up now.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Clip art.

What took you so long?

What’s the craic? Sergiu Gatlan reports — “GitHub makes 2FA mandatory”:

“Blocked from accessing some features”

GitHub will start requiring active developers to enable two-factor authentication (2FA) on their accounts. … This is the company's latest move towards securing the software supply chain by moving away from basic password-based authentication.

…

The gradual rollout will start … with GitHub reaching out to smaller groups of administrators and developers via email and will speed up as the end of the year approaches. [When] your account is selected for enrollment, you will receive an email and see a banner on GitHub.com requesting you to enroll. … Then you'll have 45 days … during which you can keep using your GitHub account as usual, except for occasional reminders.

…

Developers can use one or more 2FA options, including physical security keys, virtual security keys built into mobile devices like smartphones and laptops, Time-based One-Time Password (TOTP) authenticator apps, or the GitHub Mobile app (after configuring TOTP or SMS 2FA). [If you miss] your enablement deadline … you will be prompted to enable 2FA … and blocked from accessing some features until 2FA is toggled on.

Blocked, you say? Steven J. Vaughan-Nichols reacts accordingly — “No More Mr. Nice Guy”:

“SMS 2FA is better than nothing”

I can only say this: “It’s about time!” … Software supply chain attacks have become commonplace. One of the easiest ways to protect your code is to use 2FA.

…

Yes, I know many of you will find this very annoying. Trust me — it’s worth it. Otherwise, sooner or later, your code repositories will be hacked. It’s not “if,” it’s when.

…

Let me underline a point GitHub makes: … SMS 2FA is better than nothing, but if someone really wants to crack your account, SMS 2FA is the easiest method to crack. Personally, I recommend either a free Google … Microsoft Authenticator; the open source Bitwarden; or a YubiKey or Google Titan key.

Wait. Pause. No Passkeys? GitHub’s Laura Paine and Hirsch Singhal clarify — “Raising the bar for software security”:

"Improve the security of the software supply chain”

We’re already testing Passkeys internally, which we believe will combine ease of use with strong, phishing-resistant authentication. [But today] you can choose between TOTP, SMS, security keys, or GitHub Mobile.

…

We strongly recommend the use of security keys and TOTPs. … SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B. The strongest methods widely available are those that support the WebAuthn secure authentication standard [which] include physical security keys, as well as personal devices that support technologies, such as Windows Hello or Face ID/Touch ID.

…

Open source software is ubiquitous, with 90% of companies reporting that they use open source in their proprietary software. GitHub is a critical part of the open source ecosystem, which is why we take ensuring account security seriously. … We can’t improve the security of the software supply chain without you.

Don’t delay. Do it today, pleads OllieJones:

“Please do it”

Fellow citizens of GitHub, please comply with this 2FA requirement. Please do it cheerfully. And … if you are not sure why you should do it cheerfully, please read up on this corner of information security … called defense-in-depth. If cybercreeps break one level of defense (actually when, not if) then we really want another equally daunting one to keep slowing them down.

…

The way GitHub does the second-factor thing, it is not a big ongoing nuisance. Just click the Trust This Machine button someplace in their signon workflow, I forget where, I haven't seen it in, like, forever.

I possess two YubiKeys. … I keep them in different places. One has been riding around in my pocket on my keyring for … five years. Dropped into puddles, went through the wash once, works just fine. This FIDO / U2F stuff works, friends. It works well. It's easy to add to your personal workflow. Please do it.

But what if I’m a smartphone-eschewing tin-foil hatter? andrewfromx has your back:

oathtool --totp -b 'someCode' — same as any authenticator app but you don't have to take out your phone.

On a Mac it's brew install oath-toolkit … then I alias in .zshrc: …

alias auth_twitter="oathtool --totp -b 'someCode'" and backup my whole .zshrc file with all the codes. … 2FA is so easy when it's just a command line thing to run.

Sounds good. dskoll likes the idea but urges caution:

This obviously reduces security because now your TOTP secret is on the same device you're using to access GitHub. But it's a workable solution — just keep your TOTP secrets in an encrypted volume.

What could possibly go wrong? Trust u/jokasx to bring reality crashing down:

It's all fun and games until you are away from home, on a different computer you don't own and/or the phone battery died. And usually all of those happen at the same time.

And etr has concerns:

My browser is set to delete cookies and stored data when closed, and I typically reopen the browser between sites. This means cached logins are not a thing for me. [And I] need a password manager.

…

The net effect is that 2FA would could mean juggling two apps … which would be a royal pain. [And] that's really starting to resemble 1FA. … More research is in order.

Meanwhile, should you insist on using SMS, jjgreen snarks it up:

We promise that all of those lovely mobile phone numbers won't be used for marketing purposes.

And Finally:

How did we get here?

Previously in And finally


You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Job Moses (via Unsplash; leveled and cropped)

Keep learning

  • Take a deep dive into ClickFix with RL's new report, and join the webinar to learn more about the attack technique. Plus: Get RL's open-source YARA rule.
  • Learn how Gartner® named RL a supply chain security 'Visionary.' Download: Gartner® Magic Quadrant™ for Software Supply Chain Security.
  • Get up to speed on the Agentic Development Security tools landscape in this webinar with Forrester Sr. Analyst Janet Worthington.
  • Understand the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar discussing the findings.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Plus: Join the free Spectra Assure Community today to get hands-on with RL's binary analysis-based software supply chain security platform.

Tags:AppSec & Supply Chain Security

More Blog Posts

AI threat advisor robot

New OWASP tool structures AI threat modeling

Threat Advisor could help teams with AI-specific risks. But a broader AppSec strategy rethink is needed in the AI era.

Learn More about New OWASP tool structures AI threat modeling
New OWASP tool structures AI threat modeling
AI-BOM minimum requirements

AI-BOM push borrows from the SBOM playbook

The Institute for Security and Technology's 'Driving AI Transparency' policy paper makes the case for AI-BOM minimum requirements.

Learn More about AI-BOM push borrows from the SBOM playbook
AI-BOM push borrows from the SBOM playbook
5 takeaways

2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways

The Magic Quadrant™ for Software Supply Chain Security is a 45-minute read. Here's what we feel security leaders need to pull from it.

Learn More about 2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
OSS security

Should frontier AI firms fund OSS ecosystem security?

With a ‘vulnpocalypse’ expected, AppSec leaders are calling for the companies to invest in a Great Refactor Fund to secure open source.

Learn More about Should frontier AI firms fund OSS ecosystem security?
Should frontier AI firms fund OSS ecosystem security?

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top
The inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security is outGET THE REPORT
Skip to main content
Contact UsSupportBlogCommunity
reversinglabs
ReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsBlack Hat 2026
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu