/great-mfa-project

OtherNOASSERTION

The Great MFA Distribution Project

Welcome to the Great MFA Distribution Project (great-mfa-project). The goal of this project is to:

  1. Distribute multi-factor authentication (MFA) tokens to some developers of critical open source software (OSS), and
  2. Provide or point to information so help people easily use MFA tokens.

Google and GitHub have generously offered to provide and distribute MFA tokens. Thank you!

How do I get an MFA token?

If your open source software (OSS) project has notified you that you're getting a free token from us, you'll receive a Google coupon code or a GitHub validation code. Here are step-by-step instructions:

The OpenSSF cares about privacy and does not get detailed lists of who gets every token; we only get aggregate values (per-project Google tokens and aggregate totals from GitHub).

How do I use an MFA token?

We've developed some simple instructions for using MFA tokens in common OSS situations.

Titan

  • How to setup on MacOS, Windows, Linux desktops
  • How to log into GitHub / GitLab
  • How to post a release to Python PyPI
  • How to post a release to JavaScript npm

Yubikey

Yubikey Guide is a relatively exhaustive guide.

  • How to setup on MacOS, Windows, Linux desktops
  • How to log into GitHub / GitLab
  • How to post a release to Python PyPI
  • How to post a release to JavaScript npm

How we're doing this

Here is our basic plan:

  • We'll use a list of about 100 critical open source software (OSS) projects as identified by the OpenSSF Securing Critical Projects Working Group; see their current list. We'll use the version as of 2021-12-02, since the Google coupon codes expire on 2021-12-31.
  • We'll also develop a set of simple documents on how to use these tokens for common OSS cases, by 2021-12-02
  • Identified critical OSS projects will be sent at invitation by one of the great-mfa-plan notifiers (e.g., John Naulty, David A. Wheeler), typically by filing an issue, in 2021-12-02..09.
  • When a project accepts, the notifier will tell a sender (David A. Wheeler or Jory Burson) key information: the project who has accepted, the email address to send private information to, and how the project accepted. The sender will then send the project the coupon codes and validation codes using the coupon_sending.md template. This is 2021-12-03..31.
  • Projects distribute the codes. Receivers use them to get the tokens from the Google Store or GitHub shop. Then the tokens get used!
  • Projects send back some information, that we combine with other data and determine whether or not we've had a positive effect (hopefully we have!).

You can see the draft document The Great MFA Distribution Plan if you want to see more detail. We've taken some steps to make sure this does not turn into the "world's best supply chain attack"; see our security rationale. We also want to ensure this isn't just a "token effort".

Why are we doing this?

Why do this? Our goal is to prevent supply chain attacks involving weak or compromised credentials of developers of open source software. The "Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attack" by Ohm et al noted that this is one way to subvert OSS, e.g., its source code (in a force) or its package (in a package repository). Here are examples:

MFA tokens don't counter all attacks (such as typosquatting) but they can definitely help.

Background information

Some will refer to these as "two-factor authentication" (2FA) tokens, however, for various reasons we're using the term "MFA" instead.

The Great MFA Distribution Project is a project of the Linux Foundation's Open Source Security Foundation (OpenSSF) within its Best Practices Working Group. Discussions are held within that working group's mailing list and online meetings.

All documents, including any improvements, are released under the Creative Commons Attribution (CC BY) license.