PSA: Enabling mandatory 2-Step Verification on chromium.org (Nov 15)

[Paweł Hajdan, Jr.]

We’re aiming to enable mandatory 2-Step Verification on Nov 15 for all chromium.org accounts. The specific date is subject to change, but it won’t be earlier than the above one.

For some context, please see https://groups.google.com/a/chromium.org/d/msg/infra-dev/dmcGkquZM-8/thJsA_NpPpoJ

Since the above announcement, we’ve seen a very positive response. Over 70% of active chromium.org accounts enrolled in 2-Step Verification. This is a nice increase from less than 5% before the dogfood phase. We’re also not aware of any issues with development workflows.

Unfortunately, due to a technical limitation, people who don’t enable 2-Step Verification will get locked out when it becomes mandatory. It is strongly recommended to enroll your account before that.

If you do get locked out, please file a bug using the following link: https://code.google.com/p/chromium/issues/entry?labels=Infra,Proj-2FactorAuth (from any valid Google account, and specify the name of affected chromium.org account).

Please see https://support.google.com/accounts/answer/185839?hl=en for instructions how to enable 2-Step Verification for your account. Also see https://www.google.com/landing/2step/ for more general context.

Once you enable it, consider switching from SMS codes to a security key (https://support.google.com/accounts/answer/6103534?hl=en) or an app (https://support.google.com/accounts/answer/1066447?hl=en).

If you’re a Googler, you can reuse your existing security key. Otherwise, see https://support.google.com/accounts/answer/6103523?hl=en for possible ways to get one, and note that it’s optional and you can still use SMS codes or the app instead.

You can see the list of currently known issues at https://code.google.com/p/chromium/issues/list?can=2&q=Proj%3D2FactorAuth .

Report any issues using the following link: https://code.google.com/p/chromium/issues/entry?labels=Infra,Proj-2FactorAuth .

Please don’t hesitate to ask any questions about this process, or related comments or concerns.

Paweł

[Ryan Tseng]

Can I enable 2FA without a phone # for SMS yet?

--
You received this message because you are subscribed to the Google Groups "infra-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to infra-dev+...@chromium.org.
To post to this group, send email to infr...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/infra-dev/CAATLsPZZRhaoDuJK9Yr7a6hA8%3D8kTEj2W1-sd0CQX0Z4QdTDMw%40mail.gmail.com.

[Jochen Eisinger]

What's the plan for contributors using non-chromium.org accounts?

[Paweł Hajdan, Jr.]

[-infra-announce]

For now nothing would be changing for non-chromium.org accounts. We're focusing on one thing at a time.

Paweł

[Paweł Hajdan, Jr.]

Unfortunately, as far as I know, no. It is currently required for setup, but you can change that immediately after.

Paweł

[Bartosz Fabianowski]

You definitely can. I do not own a mobile phone and I was able to set up
2FA for my chromium account. I do not remember the exact steps but there
was no SMS involved.

- Bartosz

On 10/01/2015 08:53 PM, Paweł Hajdan, Jr. wrote:
> Unfortunately, as far as I know, no. It is currently required for setup,
> but you can change that immediately after.
>
> Paweł
>
> On Mon, Sep 28, 2015 at 7:49 PM, Ryan Tseng <hin...@chromium.org
> <mailto:hin...@chromium.org>> wrote:
>
> Can I enable 2FA without a phone # for SMS yet?
>
> On Mon, Sep 28, 2015 at 8:19 AM, Paweł Hajdan, Jr.
> <phajd...@chromium.org <mailto:phajd...@chromium.org>> wrote:
>
> We’re aiming to enable mandatory 2-Step Verification on Nov 15

> for all chromium.org <http://chromium.org> accounts.The specific

> date is subject to change, but it won’t be earlier than the
> above one.
>
>
> For some context, please see
> https://groups.google.com/a/chromium.org/d/msg/infra-dev/dmcGkquZM-8/thJsA_NpPpoJ
>
>
> Since the above announcement, we’ve seen a very positive

> response. Over 70% of active chromium.org <http://chromium.org>

> accounts enrolled in 2-Step Verification. This is a nice
> increase from less than 5% before the dogfood phase. We’re also
> not aware of any issues with development workflows.
>
>
> Unfortunately, due to a technical limitation, people who don’t
> enable 2-Step Verification will get locked out when it becomes
> mandatory. It is strongly recommended to enroll your account
> before that.
>
>
> If you do get locked out, please file a bug using the following
> link:
> https://code.google.com/p/chromium/issues/entry?labels=Infra,Proj-2FactorAuth(from
> any valid Google account, and specify the name of affected

> chromium.org <http://chromium.org> account).
>
>
> Please see
> https://support.google.com/accounts/answer/185839?hl=enfor

> instructions how to enable 2-Step Verification for your account.

> Also see https://www.google.com/landing/2step/for more general

> context.
>
>
> Once you enable it, consider switching from SMS codes to a
> security key
> (https://support.google.com/accounts/answer/6103534?hl=en) or an
> app (https://support.google.com/accounts/answer/1066447?hl=en).
>
>
> If you’re a Googler, you can reuse your existing security key.
> Otherwise, see
> https://support.google.com/accounts/answer/6103523?hl=enfor
> possible ways to get one, and note that it’s optional and you
> can still use SMS codes or the app instead.
>
>
> You can see the list of currently known issuesat
> https://code.google.com/p/chromium/issues/list?can=2&q=Proj%3D2FactorAuth.
>
>
> Report any issuesusing the following link:
> https://code.google.com/p/chromium/issues/entry?labels=Infra,Proj-2FactorAuth.
>
>
> Please don’t hesitate to ask any questions about this process,
> or related comments or concerns.
>
>
> Paweł
>
> --
> You received this message because you are subscribed to the
> Google Groups "infra-dev" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to infra-dev+...@chromium.org

> <mailto:infra-dev+...@chromium.org>.

> To post to this group, send email to infr...@chromium.org

> <mailto:infr...@chromium.org>.

> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/infra-dev/CAATLsPZZRhaoDuJK9Yr7a6hA8%3D8kTEj2W1-sd0CQX0Z4QdTDMw%40mail.gmail.com

> <https://groups.google.com/a/chromium.org/d/msgid/infra-dev/CAATLsPZZRhaoDuJK9Yr7a6hA8%3D8kTEj2W1-sd0CQX0Z4QdTDMw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>
>
>
> --
> --
> Chromium OS Developers mailing list: chromiu...@chromium.org
> View archives, change email options, or unsubscribe:
> http://groups.google.com/a/chromium.org/group/chromium-os-dev?hl=en
>

[Julius Werner]

I recently followed the steps described here to enable two-factor
authentication for my chromium.org account, and it seems to have
broken git-send-email for me (which is important for upstream work on
mailing list based projects like Linux). Previously I had it
configured so that it would just prompt for my password every time I
run it. Now it demands that I use an app-specific password instead.

Is there a command line STMP client with gnubby support or any other
good workaround for this? I guess I could just permanently store an
app-specific password in my .gitconfig but that seems like a major
step down in security to me.

[Ryan Tseng]

Still stuck here, can you tell me how you were able to bypass it?

[Bartosz Fabianowski]

I remember this step. I entered my landline and chose "voice call." No
mobile phone required.

- Bartosz

On 10/03/2015 08:57 PM, Ryan Tseng wrote:
> Still stuck here, can you tell me how you were able to bypass it?
>
>

> On Fri, Oct 2, 2015 at 10:51 PM, Julius Werner <jwe...@chromium.org
> <mailto:jwe...@chromium.org>> wrote:
>
> I recently followed the steps described here to enable two-factor

> authentication for my chromium.org <http://chromium.org> account,

[Paweł Hajdan, Jr.]

Julius, please consider filing a bug about this (https://code.google.com/p/chromium/issues/entry?labels=Infra,Proj-2FactorAuth) so we can keep track of this issue.

Paweł

[Doug Anderson]

Julius,

My lame solution is:

• Create a bookmark in your browser to "https://security.google.com/settings/u/2/security/apppasswords" (change the "2" depending on the order you log into your Google accounts.  I usually log into my @chromium.org 3rd)
• When you run "git send email", create an app password.  Paste it in to the prompt.
• Wait a minute, then revoke the password.
  

It's definitely an extra hassle, though...

-Doug

[Sean Paul]

I stored the app-specific password in valentine, slightly easier than creating a new password each time.

Sean

 

It's definitely an extra hassle, though...

-Doug

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-dev?hl=en

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-d...@chromium.org.

[Dmitry Torokhov]

Why not save the app-specific passwords in gnome keyring (msmtp knows
how to retrieve them form there as well). Then you can have attached
python scriptlet to retrieve them. Just use:

GIT_ASKPASS=~/bin/git-get-mail-pass.py git send-email ...

[Julius Werner]

While we're all passing around our insane custom hacks that every one
of us needed to waste time on due to this imprudent policy decision, I
of course don't want to stand back ;) (although dtor's looks much
better):

gse(){(
umask 0077
mv ~/.gitconfig ~/.gitconfig.bak || exit
rm -f /tmp/.gitconfig &&
openssl enc -aes-256-ctr -d -in ~/.gitconfig.aes -out /tmp/.gitconfig &&
ln -s /tmp/.gitconfig ~/.gitconfig &&
git send-email "$@"
mv ~/.gitconfig.bak ~/.gitconfig
rm -f /tmp/.gitconfig
)}