GitHub announced on Wednesday that they require users who upload code to enable one or more two-factor authentication forms by the end of 2023 to continue to use the platform. GitHub’s internal research shows that only around 16.5 percent of active users (roughly one in six) currently enable the enhanced security measures on their accounts.
Microsoft reminded everyone yesterday that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022.
While I’m on authentication, Microsoft, Google, and Apple all committed on Thursday that they are expanding support for the FIDO Alliance and will implement passwordless FIDO sign-in standards across macOS and Safari; Android and Chrome; and Windows and Edge. The goal – eliminate passwords and instead use a stored FIDO credential called a passkey to unlock the device. With this extended commitment, users will be able to automatically access their passkey on many of their devices, even new ones, without having to re-enroll every account. Additionally, people will be able to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they’re running.
This one from the Record: Cybersecurity analysts published information Monday about a potentially severe unpatched bug in code for the internet of things (IoT) devices because they want the public’s help in fixing the problem, which could affect technology used in critical infrastructure. The flaw could allow attackers to perform “DNS poisoning attacks” against a target device, confusing how it recognizes activity from the internet domain name system (DNS).
The company said it went public with information about the unpatched vulnerability because even after a long disclosure process, the maintainer of the uClibc library was “unable to develop a fix.” Nozomi Networks’ goal is to work “with the maintainer of the library and the broader community in support of finding a solution,” the researchers wrote.
And in trends news, the Washington Post reported this week about the increase of attacks on Russia due to the war in Ukraine. While initially, experts expected the attacks to come from Russia against the rest of the world, particularly the US, instead of Russia itself. Attackers have gone after personal financial data, defaced websites, and mined for government secrets in email releases. One recent survey showed that more passwords and other sensitive data from Russia were dumped onto the open Web in March than information from any other country.
Why do we care?
A passwordless future should be exciting for two reasons. First, it’s a massive win for the risk profiles of users. Second, it’s a real opportunity for customers to invest in something that helps security and makes their lives better.
Bring on the passwordless future!

