On requiring 2FA for astropy GitHub organization

[Pey Lian Lim]

Hi,

This only affects you if you are a member of astropy GitHub organization and do not already have two-factor authentication (2FA) enabled for your GitHub account.

As part of https://github.com/astropy/astropy-project/pull/148 (Add general permissions policy document), I am contemplating requiring 2FA for astropy GitHub organization. I seems like I cannot do this on a team-by-team basis, so it is all or nothing. Here is the description from GitHub settings:

- Requiring an additional authentication method adds another level of security for your organization.

- Require two-factor authentication for everyone in the The Astropy Project organization.

- Members, billing managers, and outside collaborators who do not have two-factor authentication enabled for their personal account will be removed from the organization and will receive an email notifying them about the change.

- Learn more: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

If you are affected by this, would you be willing to enable 2FA on your GitHub account? If not, why? If you are not comfortable discussing your security settings in a public mailing list, feel free to reply to me privately.

If I hear no objection, I would proceed with enabling 2FA for astropy but I will not do so without a follow-up official announcement of a date of enforcement. FYI.

Thank you,

Pey Lian

[Marten van Kerkwijk]

Would seem like this is going to be required eventually anyway.

For those so old like me that they have yet to do this for anything (I
just had for my other github projects), on linux "pass" and in
particular "pass otp" is your friend; https://www.passwordstore.org/
(pass-otp on Debian).

-- Marten

[Homeier, Derek]

On 26 Jun 2023, at 7:47 pm, Pey Lian Lim <p3y...@gmail.com> wrote:

- Require two-factor authentication for everyone in the The Astropy Project organization.

- Members, billing managers, and outside collaborators who do not have two-factor authentication enabled for their personal account will be removed from the organization and will receive an email notifying them about the change.

OK, still trying to figure out what exactly this would mean if required for the “Organization” –

anyone without 2FA would be removed from https://github.com/orgs/astropy/people ?

Also from https://github.com/astropy/astropy/graphs/contributors ?

And would they no longer be able to open a PR in any astropy project?

This does still seem a substantial barrier to newcomers and occasional contributors,

even if it is a very sane requirement.

The possible(?) alternative we have discussed, to officially declare it a requirement for

all with write access to any of the repos, would put a bit more workload on us by

identifying those accounts, notifying them and ultimately revoke their write permissions.

Cheers,

Derek

[Pey Lian Lim]

Yes, I think they would be removed from  https://github.com/orgs/astropy/people and GitHub will notify them that it has happened and what they can do to get back on.

https://github.com/astropy/astropy/graphs/contributors is NOT affected. That comes from git commit math, which is completely separate from GitHub org membership. You do not have to be a member of the org to contribute, so this concern about new and occasional contributors is misplaced. This policy only affects you if you are in the org membership AND you do not already have 2FA. I think most developers already have 2FA (I do not want to go into the debate of how secure it actually is but it is better than nothing).

The alternative sounds like a lot of busywork that we do not have time to do. I'd rather just use the checkbox and have GitHub sort it out for us, especially since I have no heard any real objection yet, either in this list or privately.

[Pey Lian Lim]

p.s. I added this topic to dev telecon for 2023-07-07

[Homeier, Derek]

On 29 Jun 2023, at 4:12 pm, Pey Lian Lim <p3y...@gmail.com> wrote:

https://github.com/astropy/astropy/graphs/contributors is NOT affected. That comes from git commit math, which is completely separate from GitHub org membership. You do not have to be a member of the org to contribute, so this concern about new and occasional contributors is misplaced. This policy only affects you if you are in the org membership AND you do not already have 2FA. I think most developers already have 2FA (I do not want to go into the debate of how secure it actually is but it is better than nothing).

OK, if contributing is not affected; I don’t know what membership entails otherwise,

but I don’t have any objections then to putting this into effect.

Cheers,

Derek

[Sebastian Gurovich]

--
You received this message because you are subscribed to the Google Groups "astropy-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to astropy-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/astropy-dev/1B6B8D5A-9C59-4257-B43C-9126F40497C6%40gwdg.de.

Could this have any implications  for forking the whole repository ? Could someone theoretically still fork the repositary  inside the 'organization'  without 2FA or 'outside' of  it? 

I honestly don't know, but also think some discusion to the type of 2FA by the community might be first warranted since some types of 2FA are more secure than others.

best,

Sebastian

 

[Pey Lian Lim]

(Looks like it will just happen on its own anyway, like Stuart said. I got this today. Also I am not sure if I understand this content completely, it says not everyone has 2FA, but it also tells me that those in the groups that requires 2FA already have it.)

Users in your organization will soon be required to enable 2FA

... the "astropy" organization which contains 127 users that meet the updated criteria for the two-factor authentication requirement program. Of these 127 users, 82 already have 2FA enabled. Read on to learn what that means for your users, and how to prepare.

This enrollment is not related to your organization settings or account. It is based on the individual actions and privileges of your organization's users on GitHub.com, both within your organization and outside of it.

What is GitHub's required 2FA program?

GitHub is expanding the 2FA program announced last year. When we launched this program in March, we only included users who had published an app, Action, or Package. Starting next week, we'll ask users who have published a release of a repository or manage critical repositories to also enable 2FA.

Why do these users have to enable 2FA?

These users have taken an action on GitHub.com which now requires 2FA.

Users in this enrollment group have created a release or manage a critical OpenSSF repository. That means, the 127 users in your organization being added to the program have created a release at least once in the past, or are administrators of an OpenSSF repository. This release may have been from one of your Organizations, in another Organization, or in their own personal repositories.

In addition to the new enrollment group, we are enabling daily updates to the previous enrollment group, which included all accounts that have published an app, Action or Package. If a user publishes an app, Action, or Package for the first time, they will be enrolled in the 2FA program the next day, starting the 45-day enrollment process detailed in our March blog post.

Will any more of my members need to enable 2FA?

More of your organization's members may take an action that puts them in this enrollment group or a previous one. At any time, you can review which users are required to enable 2FA by checking the People tab of your organization - it now shows users who are required to enable 2FA but have not yet done so. In the future, we'll continue to expand the set of users that require 2FA, and we'll reach out again when that occurs.

You should validate if service accounts you manage are in this rollout, by reviewing their associated email inbox for notifications across the next month. For help on setting up 2FA for shared service accounts, see "Setting up 2FA for service accounts".

Isn't SAML protection sufficient?

SAML protects your organization data, but it doesn't stop an attacker from accessing your users' personal accounts. These accounts can be contributors outside of your organization, and need to be protected as well.

Making the software supply chain more secure is a team effort, and we couldn't do it without you. Your support of 2FA is an impactful step in keeping the world's software secure.

Thanks,
The GitHub Security Team