nodejs
Require Physical 2fa for Build WG & Web Infra members
Members of the Build WG & @nodejs/web-infra have access to sensitive resources. Despite this however, there aren't any actual requirements for 2fa to be enabled on a member's accounts afaik.
I think there should be a requirement for members to have some form of physical 2fa (i.e. yubikey) connected to their GitHub and other relevant accounts.
@nodejs/web-infra is relevant here since, even though members aren't under the Build WG governance, they still follow the Build WG contributor guidelines as per the website's governance doc.
I don't have an answer as to who's going to be paying for the keys however
Everyone in the Node.js GitHub org is, as far as I can remember, required to have general 2fa enabled on their accounts. Physical keys would be a good additional layer for folks on the build/infra/release teams. The foundation can likely be asked to pay for the keys. /cc @mcollina
+1 to requiring physical hardware for authentication -- I have YubiKeys on my GH account. I wish GH had a way at the org level to require that 2FA on accounts is a physical factor, and can't be bypassed with another factor like GH mobile (it always gives me this option for sudo mode which scares me).
+1 for Web Infra. We should also require 2fa (Physical) on 1Password which has access to Vercel and Sentry and our GitHub bot accounts.
Despite this however, there aren't any actual requirements for 2fa to be enabled on a member's accounts afaik.
I think this should be a requirement.
I don't think there is money available to massively buy yubykeys for everyone, but it really depends on the volume.
... massively buy yubikeys for everyone...
We don't need them for everyone... just for the build, build-infra, web-infra, and release teams I would imagine. That would be about 25 keys, which should come to just under about $2k.
While requiring a physical key would increase security, I also think it would discourage volunteering. I have a physical Yubikey that I'm not using because it looks like it's not so straightforward to get it working under WSL.
I think we should have a flexible requirement either have a Passkey or a Yubikey. Passkeys are already more secure and usually tied to Devicesd (iOS Phones, Windows computers, Android phones can serve as a Passkey)
Passkeys can also be emulated by password managers. In that case they are not tied to physical devices.
I believe that using 2FA is essential at this stage and should be considered non-negotiable. That said, we can recommend passkeys or physical security keys as preferred 2FA methods, and we should be able to provide a physical key to any volunteer from those teams who requests one. This approach helps us maintain strong security practices without discouraging contributors or forcing specific setups or environments.
Personally, I use YubiKeys, although they can sometimes be tricky to use, especially in virtual machines. It might be helpful to point volunteers to a guide that outlines the best available 2FA options and explains why we prefer certain methods, such as passkeys or security keys, over others like SMS-based 2FA.
I think code-based 2FA, SMS-based or anything tied to something that could be compromised without a hardware in-person devioce should be no go. That's why I said Android Phones/iPhones;Windows Computers can act as Physical Security Keys (these are features built-in in these devices) if we want to avoid costs of Yubikeys (I have 4 Yubikeys tho)
From the discussion in the build WG today we are wondering if there are any Open Source projects who already required physical 2FA for some of the collaborators. If so can you let us know who they are as maybe we can reach out to them to see what their experience has been.
@mhdawson I've found a blog and an open source project that enforced 2FA.
- https://ropensci.org/blog/2022/05/16/requiring-2fa-for-the-ropensci-github-organization/
- https://github.com/ossf/great-mfa-project
- https://github.com/ossf/great-mfa-project
Heh looks like Node.js was meant to be part of that: https://github.com/nodejs/node/issues/41126
@iuuukhueeee the Node.js org had already enforced 2FA just not physical 2FA so looking for projects that have required collaborators or some subset of collaborators to use physical hardware with 2FA.
From the discussion in the Build WG meeting today it seems that the team might be comfortable recommending but not requiring the use of the hardware tokens.
For the github organization, at least, there is a setting we can enable that restricts 2fa methods to "only secure methods"
This at least disables sms auth as an acceptable 2fa for github.
@ryanaslett thats a good find as that might be acceptable to the project. We would need to find out if there are any project members using sms and if there is some reason they could not switch to an authenticator app.
https://github.com/orgs/nodejs/people?query=two-factor%3Ainsecure will show a list for org owners.
The list is very long, and it included me. I haven't used SMS 2FA in years and just disabled it.
https://github.com/orgs/nodejs/people?query=two-factor%3Ainsecure will show a list for org owners.
The filter two-factor:insecure / two-factor:secure doesn't seem to be working.
https://github.com/orgs/nodejs/people?query=two-factor%3Ainsecure will show a list for org owners.
The filter two-factor:insecure / two-factor:secure doesn't seem to be working.
Unless I'm mistaken, you're not an owner of the org? As I said, only org owners can use the filter (and in general, only owners can see members' 2FA status)
Yes unfortnately the list includes many people (like myself) who are not use sms for 2fa but did not specifically disable it.
A first step may be to ask all those who are not actively using sms to disable it and then we could check atain.
Suggestion: Move this to the TSC, as it doesnt appear to be something the build WG can enforce or decide.
Moved to the TSC repo as discussed in today's TSC meeting.
Quick summary, the original request was requiring hardware 2FA for web-infra and build-infra. The Build WG considered this, but there is no practical way the Build WG can enforce the use of hardware 2FA.
The only practical additional enforcement in GitHub that looks possible is to disallow less secure (insecure?) 2FA methods (such as SMS) but that is an org-wide setting (as opposed to being able to apply to a smaller subset of people). And that would be a TSC decision (tightening 2FA requirements for everybody in the org).
There doesn't seem to be clarity in the GitHub docs in what tightening the 2FA requirements for everybody in the org would result in to (people kicked out? limited permissions?)
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization#requiring-secure-methods-of-two-factor-authentication-in-your-organization
Users who do not have a secure method of 2FA configured, or who have any insecure method (such as SMS) configured, will be prevented from accessing organization resources.