Skip to content
This repository has been archived by the owner on Nov 16, 2022. It is now read-only.

require 2FA to be on Gratipay GitHub org #775

Closed
chadwhitacre opened this issue Aug 15, 2016 · 6 comments
Closed

require 2FA to be on Gratipay GitHub org #775

chadwhitacre opened this issue Aug 15, 2016 · 6 comments
Labels

Comments

@chadwhitacre
Copy link
Contributor

Kenneth got hacked, illustrating the importance of 2FA. We should require 2FA on GitHub for anyone with permission to deploy, and maybe for everyone on the GitHub org.

@ghost
Copy link

ghost commented Aug 15, 2016

Do you already have the percentage of 2FA activation for the Gratipay team? Requiring it for everybody would imply that everybody has long-term working phone number or the Google
Authenticator application. However, 2FA using SMS is being deprecated by the NIST so we can expect big companies (Github?) to follow the new recommendations.

I think that forcing it for users with access to private repositories and deploy permission is a good thing, and then strongly suggest (≠ force) to everybody in the organisation to follow the movement.

Github has a great article about how to use all the services after enabling the 2FA (spoil: you may need to generate personal tokens to clone via https).

@chadwhitacre
Copy link
Contributor Author

I don't have a smart phone, and I'm curious to see how long I can hold out with SMS 2FA being phased out.

All three of us on the "Deployers" team (@clone1018 @rohitpaulk @whit537) have 2FA enabled. We are at 33% overall (8 / 24).

I guess we're saying that's okay for now?

@ghost
Copy link

ghost commented Aug 23, 2016

Yep, I think.

@chadwhitacre
Copy link
Contributor Author

What about Heroku? And DNSimple? And MaxCDN? And Digital Ocean? Seems like we should adopt a 2FA policy for any system involved in production.

@ghost
Copy link

ghost commented Aug 23, 2016

(and HackerOne)

@EdOverflow
Copy link
Contributor

EdOverflow commented Jan 9, 2017

I currently use the Google Authenticator app, since I do not like to use SMS 2FA. I also plan on getting a YubiKey. @whit537 Maybe you might want to look into a YubiKey for important accounts?


Here is a list of pages regarding 2FA on services we use:

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants