Should/will 2FA (2 factor authentication) be required for making GitHub contributions

[nschonni]

https://help.github.com/articles/about-two-factor-authentication/

[obrien-j]

Where possible, 2FA should be mandatory for all systems GC uses, along with enforced (by system) code reviews.

[CalvinRodo]

I'd like to also see promotion of hardware 2FA whenever possible such as https://www.yubico.com/ or similar tools.

[gcharest]

I would personnally be in favour.

[gcharest]

Looping @ptd-tbs in for this.

[ptd-tbs]

I am also in favour of implementing multi-factor authentication. We made it mandatory for privileged access to cloud-based services in the Direction on the Secure Use of Commercial Cloud, Section 6.2.3.

[LaurentGoderre]

I think requiring 2FA for making contribution is too much of an overreach but it should be mandatory for people maintaining GC repositories

[gcharest]

I think that 2FA was indeed intended for GC employees, not external collaborators.

As an overall guidance, if we are to use SaaS that provide 2FA, we should be enabling it.

Thanks!

Guillaume

Le mar. 13 nov. 2018 09 h 03, Laurent Goderre [email protected] a écrit :

I think requiring 2FA for making contribution is too much of an overreach but it should be mandatory for people maintaining GC repositories

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/canada-ca/open-source-logiciel-libre/issues/19#issuecomment-438276445, or mute the thread https://github.com/notifications/unsubscribe-auth/ABnJ5Q3kvQ786kwtnKGsylGiXVucI905ks5uutEpgaJpZM4W_G6e .

--

Guillaume

[ptd-tbs]

In general, I think we should be developing a checklist for securing GitHub.This includes enabling 2FA in general for those with accounts. If this is a key component of the CI/CD pipeline, it should be assessed and approved once, then reused by other projects. Checklist is on our to do list.