2 Factor Auth for NuGet.org sign in
Status: Reviewed
The work for this feature and the discussion around the spec is tracked here:
2Factor Auth on NuGet Gallery #3252
NuGet.org accounts are currently secured by a simple username/password combination or linked to a Microsoft Account that is similarly protected. We want to make it harder to compromise these accounts by two factor authentication.
All NuGet package authors will be protected by a more enhanced layer of security for public NuGet.org packages
Authors can still publish package using the existing API keys to NuGet.org. To create a new API key, they may require the advanced security layer via 2-FA, if enabled
The key scenarios we want to enable are:
-
Deprecate NuGet.org password based accounts. NuGet.org accounts do not support 2-FA that is critical for enhanced security for Microsoft ecosystems. At NuGet.org, we do not want to build additional 2-FA capability for NuGet.org password based accounts. Instead we would like to leverage existing Microsoft accounts and Azure Active Directory solutions to enable this security functionality. As part of the feature, transition to the new sign-in systems would be seamless. NuGet.org already supports Microsoft account sign-ins for existing accounts
-
Enable and encourage enhanced security of NuGet.org accounts using 2-FA. We will not mandate 2-FA usage for all accounts.
-
NuGet package authors belonging to Organizations with AAD can authenticate on NuGet.org via their AAD instance. These AAD instances can have 2-FA enabled on them which NuGet.org will respect. Eg. MSFT packages require mandatory sign-in through secured @microsoft.com accounts federated through Microsoft Organization on AAD similar to our admin accounts.
-
Gallery instances (other than NuGet.org) should be able to remain with basic auth using username/password sign-ins.
We plan to deprecate NuGet.org accounts not linked to Microsoft Accounts and require authentication to NuGet.org accounts via Microsoft Accounts that are secured by 2-FA. We will also support AAD logins.
For AAD, the experience will be similar to Microsoft Accounts. Clicking on the "Sign in with Microsoft" will lead to a login screen that will redirect to an AAD login if the mail id entered is an AAD account. Nothing else changes.
[Open] Do we allow multiple MSA/AAD accounts linked to a single NuGet.org account?
[Resolved] A single account on NuGet.org can only be associated with a single MSA/AAD accounts. However, there would be an experience to change the linked MSA/AAD. In addition, there would be no impact to existing NuGet.org accounts linked to multiple MSAs until they try to link additional accounts.
NuGet.org will introduce a light weight "Organization" concept as covered by spec: Organizations on NuGet.org
The aim is to enable 2-FA in phases:
Phase 1:
- Enable Microsoft accounts and AAD logins as the default way to login or register on NuGet.org
- Recommend users to enable 2-FA for their accounts
- NuGet.org password logins will exist but will not be promoted for sign-ins or new user registrations
Default login:
Encourage linking from NuGet account settings:
Encourage 2-FA:
Phase 2:
- Deprecate NuGet.org password logins. Ask users to connect with Microsoft/AAD accounts
- Enable Organizations on NuGet.org. Spec: Organizations on NuGet.org
Deprecate NuGet.org password login with migration path to MSA/AAD:
Phase 3:
- Disable NuGet.org password sign-ins. Enforce all accounts to connect with Microsoft accounts or AAD with 2FA.
NuGet.org password sign-in is disabled:
Note: Manage Organizations, Manage packages and Upload package are disabled
