Free MFA hardware tokens for your projects

Skip to first unread message

Arnaud Le Hors

Dec 15, 2021, 10:40:00 AM12/15/21
to Kubernetes developer/contributor discussion

Hi! I work with the Developer Best Practices Working Group of the Linux Foundation's Open Source Security Foundation (OpenSSF) "Great Multi-Factor Authentication (MFA) Distribution Project".

We'd like to give your project free MFA hardware tokens from Google and GitHub, for use by your maintainers. We'd especially like to give them to any of your maintainers who aren't already using any. Our goal is to help improve the security of open source software (OSS)/Free Software projects. For example, these tokens can counter attacks that release source code updates and/or packages using stolen passwords.

By 2021-12-20 and preferably sooner if possible, please let me know:

  1. If you want any tokens, and if so...
  2. How many Titan tokens from Google (up to 5)
  3. How many Yubikey tokens from GitHub (up to 5)
  4. The private email address to send codes to (this email must not go to the public, as these are use-once codes that can be used to get the tokens)
  5. If you could use more, how many more.

We would send you coupon codes and validation codes to the private email address. You would then distribute those codes to the maintainers you choose. The recipients would use the coupon codes and validation codes to "buy" the tokens from the Google Store and/or GitHub Shop, who would ship the tokens directly to recipients. These codes are use-once, so make sure you can keep the codes private until they're used by the intended person.

Important: The Google coupon codes must be used by 2021-12-31 on the Google Store or they expire.

How can you trust us? You don't need to. You would get the MFA tokens from Google and GitHub; we're simply offering codes to make them no-cost. We'll provide some documentation on how to use them, but you don't need to use our documents.

To qualify, each token recipient must:

  1. Be a maintainer or contributor to this critical open source software (OSS) project, or to another OSS project that this project depends on (the dependency may be indirect).
  2. Try to use an MFA token once they receive the token. We'd like recipients to use MFA tokens from then on, but at least try.
  3. Not reuse the token between different people (the token must not be shared).
  4. Consider providing feedback to us (so we can try to fix problems).

We also need each project that receives coupon codes and/or validation codes to tell us these numbers (preferably within 30 days of getting the codes):

  1. How many tokens did you distribute from just Google? From just GitHub?
  2. How many people received tokens from just Google? From just GitHub? From both?
  3. How many people didn’t have hardware tokens they used for OSS who received tokens from just Google? From just GitHub? From both?

We ask for this information so we can tell others some simple measures of success. We don't need nor want the names of any individuals participating. It's fine to ask the people who got the codes for that information and provide a best-effort summary.

The MFA tokens are shipped from the US. They can be shipped internationally, but there are various limitations on where each can be shipped.

In particular, we can't ship somewhere if that is forbidden (sanctioned) under US law. So at this time we are unable to ship to individuals in China, Afghanistan, Russia, Ukraine, North Korea, Iran, Sudan, and Syria. Sorry about that. See the Google and GitHub sites for more shipping information. More sanction information is available.

For more information including how-tos and other setup information can be found at the "Great Multi-Factor Authentication (MFA) Distribution Project" site.

Let me know if you have any questions.


Arnaud Le Hors - IBM

Stephen Augustus

Dec 15, 2021, 10:59:27 AM12/15/21
to Arnaud Le Hors, release-managers
Hey Arnaud!

On behalf of the Kubernetes Release Managers, I'll help coordinate.
k-dev to bcc, adding the Release Managers handle.

You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Brian Topping

Dec 15, 2021, 12:28:18 PM12/15/21
to Arnaud Le Hors, Kubernetes developer/contributor discussion
Hi thanks for managing this!! 

Could I possibly get two of each? I’d like to get one each for production and one each for testing. 

Thank you!

Brian Topping

Sent from my iPhone

Arnaud Le Hors

Dec 15, 2021, 2:42:49 PM12/15/21
to Kubernetes developer/contributor discussion
Unfortunately we don't have enough tokens to give people more than one at this point. But please, follow up with the issue Stephen created.
Thank you for your interest.
Reply all
Reply to author
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages