Enable 2FA requirement for OpenStreetMap Github organisation #540
Comments
Firefishy
changed the title
|
Being a member of the organisation doesn't actually mean much - many of the people with access to particular repositories are not organisation members because of the nature of the org as a mixture of projects. |
The list is all users who have permission to any repo under the openstreetmap organisation, regardless of organisational membership. |
|
One common objection will be that some of these are bot or shared accounts, like @josmmirror or @openstreetmap-mirror, or that it needs one particular phone. You don't you need to link just one device, but can instead use the oathtool cli tool. The "secret" is a long string which the QR code contains. |
If using automation, use git over ssh with an ssh key or use a personal access token if you need github API access, both of which do not require a 2FA login tokens. |
|
Enabled. |
1 similar comment
|
Enabled. |
|
Enabled |
1 similar comment
|
Enabled |
|
15 to go... |
|
Done :)
|
|
@scrosby @bastik @podolsir @openstreetmap-mirror @stoecker @LambertusIJsselstein @frafra @marcu @mcauer @tatsvc @Nakaner @rabidllama @josmmirror Please enable 2FA on your accounts when you have a chance. Why force 2FA? We have some critical project repos under the https://github.com/openstreetmap/ project, 2FA can only be enforced at the top project level. 2FA gives us another important layer of protection against account compromise. |
|
@scrosby @bastik @podolsir @openstreetmap-mirror @stoecker @LambertusIJsselstein @frafra @marcu @mcauer @tatsvc @Nakaner @rabidllama @josmmirror Reminder, please enable 2FA on your Github accounts, alternatively let us know if you are ok being removed from the https://github.com/openstreetmap/ github project. Happy to help if needed. |
|
Done ! |
|
JOSM ticket for this: https://josm.openstreetmap.de/ticket/21128 |
|
@scrosby @bastik @podolsir @openstreetmap-mirror @stoecker @LambertusIJsselstein @frafra @mcauer @tatsvc @Nakaner @rabidllama @josmmirror This is important... I am the bully enabling the 2FA on the @openstreetmap github project. Other projects have had accounts compromised and exploit commits snuck in. Applying security after a compromise is too late. Enabling 2FA on an account should not disrupt git actions in any way [1]. Github supports saving a backup 2FA recovery key offline (e.g: print-out). It also supports using a SMS as a backup recovery method, if desired. The 2FA tokens are generated from a shared secret which can be decoded from the QR code from setup stage. I normally save a copy of the QR photo. I used 1: As long as you are using SSH key for authentication in git, which you should be using. |
|
Done. It can be considered state of the art to use two-factor auth but I was just too lazy to add it to my account so far. |
|
I have now enforced 2FA on the @openstreetmap organisation. The following users have been automatically removed because they do not currently have 2FA enabled on their accounts: Happy to add back any of the users above once 2FA has been enabled on their account. Message me or email operations "AT" osmfoundation "DOT" org |
We should enable the 2FA requirement for the OpenStreetMap Github organisation.
The following users need to enable 2FA on their account or will they will automatically be removed from https://github.com/openstreetmap when the 2FA requirement is enforced.
I propose 1st August 2021 as the deadline to enable 2FA.
The text was updated successfully, but these errors were encountered: