Security: Optional per-push TOTP verification for protected branches

[PHPCraftdream]

🏷️ Discussion Type

Product Feedback

Body

Problem

GitHub currently enforces 2FA at the credential issuance layer (login,
PAT creation, OAuth flow) but not at the credential use layer
(individual git operations). Once a PAT or SSH key exists on disk, an
attacker who obtains that credential — through malware, a misplaced
laptop, a leaked .env, or a compromised CI secret — can push arbitrary
commits without any further challenge.

For maintainers of public, high-trust projects (language specs, security
tools, cryptography libraries, supply-chain-sensitive packages), this is
a real gap. The existing mitigations don't fully close it:

• Branch protection + required reviews — works for merges, but a solo
  maintainer ends up reviewing their own PRs.
• Signed commits — protect against tampering of existing commits, not
  against the attacker signing new commits with a stolen on-disk GPG
  key.
• Hardware-backed SSH keys (FIDO2 / YubiKey) — strong against passive
  key theft: with -O verify-required every operation demands physical
  touch, and the private key never leaves the device. The residual risk
  is narrow but real: during a legitimate user-initiated push, malware
  on the same machine could attempt to substitute the content being
  signed. This is a timing-and-substitution attack, not a passive
  compromise, but it means hardware keys alone don't give a server-side
  attestation that the user intended this specific push, to this
  specific branch, of these specific commits.
• Separate release machine — effective but high friction; most solo
  maintainers won't adopt.

What's missing is a server-side gate that verifies a fresh 2FA
factor at the moment of git push — something the attacker cannot
bypass from the victim's machine alone, and that binds the approval to
the specific payload being pushed.

Proposal

A repo or org branch-protection setting:

Require 2FA challenge on push

When enabled, git push to any protected branch must be preceded by
a one-time 2FA confirmation (TOTP, WebAuthn, or GitHub Mobile push).
The approval is recorded server-side and bound to the specific
(user, repo, ref, commit SHAs) tuple. It does not carry over to a
different push.

UX sketch (no wire-protocol changes)

1. User runs git push origin main.
2. GitHub's remote rejects the push with a distinctive message, for
   example:
   remote: 2FA approval required. Approve at https://github.com/auth/push/XXXX
   Alternatively, a GitHub Mobile push notification is delivered for
   the same pending approval.
3. The user approves in the browser or mobile app. GitHub records the
   approval server-side, keyed by (user, repo, ref, commit SHAs).
4. The user re-runs git push. GitHub, seeing a matching approval for
   this exact payload, accepts the push.

The deliberate design choice here: no change to the git wire
protocol. The client isn't asked to understand a new auth flow; the
push is just a normal push that happens to succeed only if a
matching server-side approval exists. A future client-side convenience
(e.g., gh push, IDE integration, a credential helper that polls the
approval endpoint) can shorten this to a single command, but that's
an implementation layer above the protocol change — not a
prerequisite.

Scope knobs (essential)

• Per-branch, not account-wide — main/release branches only;
  feature branches unaffected.
• Exemptions:
  • GitHub Actions pushing via GITHUB_TOKEN (already gated by
    workflow permissions).
  • Deploy keys marked read/write with an explicit "CI" flag.
  • Merge commits created through the PR UI (merge button already
    happens inside an authenticated session).
• Challenge modalities: TOTP, WebAuthn, GitHub Mobile push — same
  factors as existing 2FA UX, not a new factor type.
• Default off — opt-in per repo / org, exactly like signed-commit
  enforcement today.

Prior art

Within GitHub itself

The existing branch protection rule "Require approval of the most
recent push" already recognises that a push is a security-sensitive
event that may need additional verification beyond the initial
credential — it just implements that verification through a human
reviewer, not a cryptographic factor. This proposal is the same
pattern with a TOTP / WebAuthn gate instead of (or in addition to) a
second-person approval. Solo maintainers, who can't use the
second-person path, are currently unprotected against the
stolen-credential scenario.

GitHub's existing "sudo mode" — short-lived re-authentication
required for sensitive UI operations (changing email, deleting a
repo, issuing a PAT) — is exactly the primitive that would be
extended to git push under this proposal.

Outside GitHub

• npm — publish-with-2FA requires a fresh OTP for every
  publish. Widely adopted by security-sensitive packages. Works
  with automation via scoped automation tokens.
• crates.io — "Require 2FA for crates you own" recently
  added.
• RubyGems — --otp flag for gem push; MFA-required
  accounts.
• PyPI — 2FA required for all accounts, Trusted Publishers for
  automation.

GitHub is the odd one out among major distribution platforms in
not offering a per-operation 2FA gate.

Why not just enforce it on all pushes?

Because that breaks CI, bots, and scripted workflows. The proposal
here is specifically:

• opt-in,
• per-branch,
• with explicit automation exemptions.

No default behaviour changes. Existing repos and workflows continue
to work. Only repos where the owner explicitly opts in are affected
— and those owners have already accepted the friction by choosing
the setting.

Why this matters now

Credential-theft supply-chain attacks against source and package
ecosystems are a recurring category, not a one-off. Examples where
a stolen maintainer credential directly led to malicious publishes
or pushes:

• PHP source code (March 2021) — two malicious commits were
  pushed to the canonical git.php.net repository using
  compromised maintainer credentials. The incident directly
  motivated PHP's migration of its source to GitHub.
• ua-parser-js (October 2021) — maintainer's npm account
  compromised; malicious versions published.
• coa and rc (November 2021) — same pattern, npm account
  takeovers.
• PyPI ctx and phpass (May 2022) — maintainer credentials
  stolen, backdoored versions published.

(Social-engineering attacks such as xz-utils 2024 and the 2024
polyfill.io domain-transfer incident are a different threat model
and would not be addressed by this proposal. The focus here is
specifically the credential-theft subclass.)

For every attack above, a per-operation 2FA gate bound to the
payload would have forced the attacker to also compromise the
victim's second factor — not just their machine or token. That is
the single hardening step missing from GitHub today that other
major publishing platforms already offer.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐