Enable 2FA requirement for OpenStreetMap Github organisation

[Firefishy]

We should enable the 2FA requirement for the OpenStreetMap Github organisation.

The following users need to enable 2FA on their account or will they will automatically be removed from https://github.com/openstreetmap when the 2FA requirement is enforced.

I propose 1st August 2021 as the deadline to enable 2FA.

• @Krakonos Ladislav Láska
• @scrosby Scott Crosby
• @bastik bastik
• @woodpeck Frederik Ramm
• @podolsir Igor Podolskiy
• @openstreetmap-mirror OpenStreetMap Mirror
• @stoecker Dirk Stöcker
• @LambertusIJsselstein LambertusIJsselstein
• @frafra Francesco Frassinelli
• @xamanu ǝɹʇʇɐʃǝ◖ xıʃǝɟ
• @systemed Richard Fairhurst
• @simonpoole Simon Poole
• @nomoregrapes Gregory
• @lonvia Sarah Hoffmann
• @marcu Ducobu Marc
• @mcauer Michael Auer
• @tatsvc Tatiana Van Campenhout
• @Nakaner Michael Reichert
• @RobJN RobJN
• @rabidllama Adam Rousell
• @ChristineKarch Christine Karch
• @lectrician1 Seth Deegan
• @josmmirror josmmirror

[tomhughes]

Being a member of the organisation doesn't actually mean much - many of the people with access to particular repositories are not organisation members because of the nature of the org as a mixture of projects.

[Firefishy]

Being a member of the organisation doesn't actually mean much - many of the people with access to particular repositories are not organisation members because of the nature of the org as a mixture of projects.

The list is all users who have permission to any repo under the openstreetmap organisation, regardless of organisational membership.

[grischard]

One common objection will be that some of these are bot or shared accounts, like @josmmirror or @openstreetmap-mirror, or that it needs one particular phone.

You don't you need to link just one device, but can instead use the oathtool cli tool. The "secret" is a long string which the QR code contains.

> oathtool --tot -b eiLiN4oafohfaof2
053648

[Firefishy]

One common objection will be that some of these are bot or shared accounts, like @josmmirror or @openstreetmap-mirror, or that it needs one particular phone.

If using automation, use git over ssh with an ssh key or use a personal access token if you need github API access, both of which do not require a 2FA login tokens.

[Krakonos]

Enabled.

[pantierra]

Enabled.

[lectrician1]

Enabled

[simonpoole]

Enabled

[Firefishy]

15 to go...

[ChristineKarch]

Done :)

[Firefishy]

@scrosby @bastik @podolsir @openstreetmap-mirror @stoecker @LambertusIJsselstein @frafra @marcu @mcauer @tatsvc @Nakaner @rabidllama @josmmirror Please enable 2FA on your accounts when you have a chance.

Why force 2FA? We have some critical project repos under the https://github.com/openstreetmap/ project, 2FA can only be enforced at the top project level. 2FA gives us another important layer of protection against account compromise.

[Firefishy]

@scrosby @bastik @podolsir @openstreetmap-mirror @stoecker @LambertusIJsselstein @frafra @marcu @mcauer @tatsvc @Nakaner @rabidllama @josmmirror Reminder, please enable 2FA on your Github accounts, alternatively let us know if you are ok being removed from the https://github.com/openstreetmap/ github project. Happy to help if needed.

[marcu]

Done !

[grischard]

JOSM ticket for this: https://josm.openstreetmap.de/ticket/21128