Proposal: enforce 2FA requirement for Org members and collaborators

Question

Proposal: enforce 2FA requirement for Org members and collaborators

kbdharun opened this issue 4 months ago · 12 comments

Continuing #11918 (comment). (cc @sbrl)

I want to propose enabling two-factor authentication (2FA) at an organisational level for all members and outside collaborators to have better operational security (OPSEC) at tldr. This would prevent unauthorized access to the repositories and clients at Org in case the maintainer's credentials are leaked/their device is compromised.

Since we are a decentralized organization, it is essential to implement basic OPSEC practices like 2FA, private vulnerability reporting, etc. We already have some practices in place, 2FA would be the recent addition to it, GitHub is actively requiring accounts to enable 2FA, so you would want to enable it nonetheless.

The following users don't have 2FA enabled for your account, I would like to request you guys to enable it soon (to prevent being automatically removed when enabling the setting in future).

Org Members: ~~@isaacvicente~~ (Enabled 2FA)
Outside Collaborators:

~~@CairnThePerson~~ (Enabled 2FA)
~~@Managor~~ (Enabled 2FA)
~~@MrMw3~~ (Enabled 2FA)
~~@patricedenis~~ (Enabled 2FA)
@quantumflo
~~@rubenvereecken~~ requested to be removed from the tldr-pages organisation

You can enable two-factor authentication here -> https://github.com/settings/security

Reference links/settings

https://github.com/organizations/tldr-pages/settings/security

Managor commented 4 months ago

Enabled.

👍2

MrMw3 commented 3 months ago

Enabled.

👍2

Answer 1 · 2024-02-07T06:35:16.000Z

Re-enabled 2FA. Thanks for the notification.

Answer 2 · 2024-02-07T20:40:07.000Z

I definitely support this, as soon as everyone has it enabled. We haven't had a breach (that I know of) yet, but we can never be too careful.

We could consider what to do for people who don't reply on a case-by-case basis e.g. after 1 month.

Answer 3 · 2024-02-17T08:25:12.000Z

Hi every one.
I haven't got much time to contribute right now but I enabled the functionality to stay with you guys.
Cheers !

Answer 4 · 2024-02-18T15:08:18.000Z

Feel free to drop me :)

Answer 5 · 2024-03-11T09:21:13.000Z

Update: It's been a month and only 2 more people are yet to respond, I will try contacting ~~@isaacvicente~~ and @quantumflo regarding this through other channels, we can enable this setting after a few more days.

Edit (11/03/24): Sent a mail to @quantumflo informing them about this.

Answer 6 · 2024-03-11T09:33:02.000Z

I'm sorry, I had some exams in my college this week, so I haven't checked anything from Github. I've enabled 2FA now.

Answer 7 · 2024-03-16T05:58:34.000Z

We could consider what to do for people who don't reply on a case-by-case basis e.g. after 1 month.

@sbrl only one more person (@quantumflo) is yet to respond (I sent an email and tried contacting them through other means a few days ago but to no avail). IG we can enable this setting (and update MAINTAINERS.md). We can always reinvite them back when they respond in future. What do you think about this?

Answer 8 · 2024-03-17T21:07:49.000Z

@kbdharun
I agree with you.

Answer 9 · 2024-03-20T16:42:18.000Z

Almost enabled the setting where I noticed a new name which didn't appear in both the lists (under the query but just normally), no idea why (their 2FA status was marked with a clock so I suspect they recently disabled it). @Geipro (previously @Proscream) can you enable 2FA for your account?

Will wait till this weekend to enable this fully and update the MAINTAINERS.md file.