Since those improvements, Swanson says, the company has seen a 38 percent increase in users downloading their recovery codes and a 42 percent reduction in 2FA-related support tickets. GitHub users are also making 33 percent fewer attempts to recover locked accounts. In other words, account lockouts appear to be down by a third.
Swanson says the results have been very heartening as the company has started rolling out mandatory two-factor to batches of users in recent months. The effort will continue throughout 2023 and beyond. But all the concern and care that has gone into the process has a specific goal in mind.
“As we approach enrollment for a user, they receive a number of emails spread out over about 45 days, and they also receive site banners when they visit the site that inform them of the changes and the requirements,” Swanson says. “Then they have an option right at the end of the 45 days for a one-time, seven-day opt-out if they must. Maybe they’re on vacation or need to do something ultra-critical to help ease that enforcement point. But after the seven days, you are blocked from accessing github.com. There is no option for an opt-out at this point.”
In their two-factor campaigns, Apple and Google have left some wiggle room for users who want to intentionally and deliberately leave 2FA off. But other than a legitimate and insurmountable accessibility issue, Swanson says GitHub has no plans for lenience. And no one has raised such a concern so far.
“We take every measure we can to try and make folks aware and avoid problems. But at some point, we feel like we have an obligation—and a responsibility—to support the broader software ecosystem and help it be secure,” Swanson says. “And we think this is an important way of doing it.”
Swanson emphasizes that digital platforms need to promote two-factor adoption across the board, but that they first need to conduct research, carefully plan, and expand their support capacity before mandating the protection.
“Though we want folks to join us on this journey, this isn’t something that organizations should take lightly. You need to prepare and get the user experience right,” he says. “If our intent is to normalize 2FA for the broader community, the worst thing we could do is fail and fail visibly.”
