---

To improve software security, organizations must force two-factor authentication sooner than later, as a single password may be the only thing protecting your data.

GitHub took a step toward improving software security, announcing that contributors to all code repositories must use two-factor authentication (2FA) by the end of 2023. Employing 2FA increases account security, but developers, software vendors, and customers should consider what they can do now to strengthen their software, both for their own benefit and that of the rest of the software ecosystem. To start, you don’t have to wait to adopt some form of 2FA, which typically uses a combination of a password with a security token or biometric feature like a fingerprint or face scan. 2FA isn’t perfect, but it is harder to compromise than a single password and it has proven effective at reducing credential compromises and other attacks.

Effective steps organizations can focus on include:

Software composition analysis.

SCA is an automated process of evaluating the security, license compliance and code quality of open-source software. With the increased use of cloud-native applications and DevOps/DevSecOps practices, trying to track open-source code manually is no longer practical. SCA’s automated analysis is quickly becoming essential.

Software Bill of Materials (SBOM).

SBOM is a machine-readable inventory of software components and dependencies, including information about those components and their hierarchical relationships. An SBOM can reduce risk, along with providing other benefits such as reducing costs and compliance risks.

SBOMs can also help in avoiding potentially harmful practices, such as auto-merging code from open-source repositories, and they allow you to be as discerning as possible when going between versions in open-source repos.

Passwordless Technology.

Apple, Google and Microsoft announced plans to build support for passwordless authentication across all of the platforms they control. It might be hard to imagine a world without passwords, but it already exists on billions of devices that users unlock with fingerprint or face verification, or the use of a device PIN, all of which are simpler and more secure than passwords or technologies such as one-time passcodes sent via SMS. Passwordless authentication can include physical security keys, specialized apps, emailed magic links and biometrics.

You might not think that passwords are your problem, but passwords are your problem; especially when a single password is the only thing standing between an attacker and your data. Encouraging 2FA for GitHub contributors undoubtedly is a positive step but forcing it should happen sooner rather than later.

---

You can read more about Two-Factor Authentication here.

Teknita has the expert resources to support all your technology initiatives.
We are always happy to hear from you.

Click here to connect with our experts!