[DISCUSS] Requiring use of 2FA (two-factor auth) on GitHub

Misha Brukman <mbru...@...>

TL;DR: I would like to propose requiring 2FA (two-factor auth) for all current and future members of the JanusGraph committers and maintainers groups on GitHub. 

Not having 2FA support is a security risk (see below), and as we add more and more committers and maintainers to the project, it increases the attack surface area further.

Note that this only affects your ability to log in to your account on the GitHub website, it does not change the way you work with git (e.g., to push commits to your branches), for which I assume you're using SSH keys.

This would be done by checking the single checkbox on this page:

Those of you without access to see this page, here is what it shows:

As you can clearly see, requiring 2FA instantly removes folks who DO NOT have it enabled. Which is why I want everyone to enable it first, before flipping this switch.

GitHub explains it quite clearly why this is a necessity in this day and age:

Two-factor authentication, or 2FA, is a way of logging into websites that requires more than just a password. Using a password to log into a website is susceptible to security threats, because it represents a single piece of information a malicious person needs to acquire. The added security that 2FA provides is requiring additional information to sign in. 
In GitHub's case, this additional information is an authentication code that's generated by an application on your smartphone or sent as a text message (SMS). After 2FA is enabled, GitHub generates an authentication code any time someone attempts to sign into your GitHub account. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone. 
We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it. 

You can set up 2FA via a number of methods: a hardware key, a mobile app, SMS (we can debate security of SMS and SMS spoofing separately, but it IS a second factor). If you ask me, the hardware key is easiest, but you'll need a separate key for every laptop/desktop/mainframe/etc. you use. Again, this only refers to your ability to log into the GitHub website, and does not affect your git workflows.

If you are a member of the org, you can see the 2FA status for everyone very easily via: https://github.com/orgs/JanusGraph/people (if you're not an org member, or you're not logged in, you'll just see a list of people, but no details).

I have a separate email drafted for those folks asking them to upgrade their accounts for 2FA. This email is asking whether we're OK with requiring 2FA going forward for everyone.

Please let me know if you have any questions or concerns about this proposal.


Join janusgraph-dev@lists.lfaidata.foundation to automatically receive all group messages.