[DISCUSS] Requiring use of 2FA (two-factor auth) on GitHub

[Misha Brukman]

TL;DR: I would like to propose requiring 2FA (two-factor auth) for all current and future members of the JanusGraph committers and maintainers groups on GitHub. 

Not having 2FA support is a security risk (see below), and as we add more and more committers and maintainers to the project, it increases the attack surface area further.

Note that this only affects your ability to log in to your account on the GitHub website, it does not change the way you work with git (e.g., to push commits to your branches), for which I assume you're using SSH keys.

This would be done by checking the single checkbox on this page:

https://github.com/organizations/JanusGraph/settings/security

Those of you without access to see this page, here is what it shows:

As you can clearly see, requiring 2FA instantly removes folks who DO NOT have it enabled. Which is why I want everyone to enable it first, before flipping this switch.

GitHub explains it quite clearly why this is a necessity in this day and age:

Two-factor authentication, or 2FA, is a way of logging into websites that requires more than just a password. Using a password to log into a website is susceptible to security threats, because it represents a single piece of information a malicious person needs to acquire. The added security that 2FA provides is requiring additional information to sign in. 

 

In GitHub's case, this additional information is an authentication code that's generated by an application on your smartphone or sent as a text message (SMS). After 2FA is enabled, GitHub generates an authentication code any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone. 

 

We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it. 

You can set up 2FA via a number of methods: a hardware key, a mobile app, SMS (we can debate security of SMS and SMS spoofing separately, but it IS a second factor). If you ask me, the hardware key is easiest, but you'll need a separate key for every laptop/desktop/mainframe/etc. you use. Again, this only refers to your ability to log into the GitHub website, and does not affect your git workflows.

If you are a member of the org, you can see the 2FA status for everyone very easily via: https://github.com/orgs/JanusGraph/people (if you're not an org member, or you're not logged in, you'll just see a list of people, but no details).

I have a separate email drafted for those folks asking them to upgrade their accounts for 2FA. This email is asking whether we're OK with requiring 2FA going forward for everyone.

Please let me know if you have any questions or concerns about this proposal.

Best,

Misha

[Robert Dale]

Sounds good to me.

+1

--
You received this message because you are subscribed to the Google Groups "JanusGraph developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to janusgraph-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/janusgraph-dev/CANgM2oMDv2He204Ko7wtp%2BQH4W6FoaaKj4yzCy7-TZm5Z4tpsA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Robert Dale

[Henry Saputra]

I like the proposal. +1

On Thu, Dec 28, 2017 at 5:19 AM, Robert Dale <rob...@gmail.com> wrote:

Sounds good to me.

+1

On Wed, Dec 27, 2017 at 23:26 'Misha Brukman' via JanusGraph developers <janusgraph-dev@googlegroups.com> wrote:

TL;DR: I would like to propose requiring 2FA (two-factor auth) for all current and future members of the JanusGraph committers and maintainers groups on GitHub. 

Not having 2FA support is a security risk (see below), and as we add more and more committers and maintainers to the project, it increases the attack surface area further.

Note that this only affects your ability to log in to your account on the GitHub website, it does not change the way you work with git (e.g., to push commits to your branches), for which I assume you're using SSH keys.

This would be done by checking the single checkbox on this page:

https://github.com/organizations/JanusGraph/settings/security

Those of you without access to see this page, here is what it shows:

As you can clearly see, requiring 2FA instantly removes folks who DO NOT have it enabled. Which is why I want everyone to enable it first, before flipping this switch.

GitHub explains it quite clearly why this is a necessity in this day and age:

Two-factor authentication, or 2FA, is a way of logging into websites that requires more than just a password. Using a password to log into a website is susceptible to security threats, because it represents a single piece of information a malicious person needs to acquire. The added security that 2FA provides is requiring additional information to sign in. 

 

In GitHub's case, this additional information is an authentication code that's generated by an application on your smartphone or sent as a text message (SMS). After 2FA is enabled, GitHub generates an authentication code any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone. 

 

We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it. 

You can set up 2FA via a number of methods: a hardware key, a mobile app, SMS (we can debate security of SMS and SMS spoofing separately, but it IS a second factor). If you ask me, the hardware key is easiest, but you'll need a separate key for every laptop/desktop/mainframe/etc. you use. Again, this only refers to your ability to log into the GitHub website, and does not affect your git workflows.

If you are a member of the org, you can see the 2FA status for everyone very easily via: https://github.com/orgs/JanusGraph/people (if you're not an org member, or you're not logged in, you'll just see a list of people, but no details).

I have a separate email drafted for those folks asking them to upgrade their accounts for 2FA. This email is asking whether we're OK with requiring 2FA going forward for everyone.

Please let me know if you have any questions or concerns about this proposal.

Best,

Misha

--
You received this message because you are subscribed to the Google Groups "JanusGraph developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to janusgraph-dev+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/janusgraph-dev/CANgM2oMDv2He204Ko7wtp%2BQH4W6FoaaKj4yzCy7-TZm5Z4tpsA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

Robert Dale

--

You received this message because you are subscribed to the Google Groups "JanusGraph developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to janusgraph-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/janusgraph-dev/CABed_4or5Se4azi-Wa2X6KFtMkj_rZZBcc3DTFwYk9wSYqTvrg%40mail.gmail.com.

[Ted Wilmes]

That sounds good to me.

Thanks,

Ted

[mathias...@gmail.com]

Did we ever enable this? +1 let's do it

[Misha Brukman]

No, we haven't yet, because we still don't have 100% 2FA compliance among our current committers and enabling this feature will immediately remove write access from those folks, which would have a negative effect on the velocity of the project if they can't review / merge PRs.

On Wed, Mar 7, 2018 at 10:33 PM, <mathias...@gmail.com> wrote:

Did we ever enable this? +1 let's do it

--

You received this message because you are subscribed to the Google Groups "JanusGraph developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to janusgraph-dev+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/janusgraph-dev/d144a1bb-1ed2-4486-ba30-c61154cd4b74%40googlegroups.com.