The following draft text is to be sent by a "sender" to a critical project's PRIVATE email address (or similar private channel), once they've agreed to accept the coupon and validation codes.
NOTE: This needs to be fixed, GitHub plans to distribute a form entry that would then give a coupon code.
Improvements welcome!
Thanks so much for being willing to use these free multi-factor authentication (MFA) hardware tokens!
Below are the coupon codes for the Google Titan tokens and/or thee validation keys for the GitHub Yubikey tokens. Please distribute each one to maintainers and contributors to your project and/or any open source software projects that your project depends on. DO NOT make the codes public, each code can only be used once.
The Google coupon codes must be used by the end of 2021 (they expire afterwards). If you decide not to use any coupon codes or validation codes, please tell us as soon as possible so we can give them to someone else.
Those getting the Titan tokens from Google would use the Google Store's page for Titan tokens at https://store.google.com/product/titan_security_key. We have step-by-step instructions for getting a Titan key at https://github.com/ossf/great-mfa-project/blob/main/getting-titan-token-from-google.md.
Those getting the Yubikey tokens from GitHub would first use a Google form to turn the validation code into a coupon code, at https://forms.gle/zYLbdmGsgAFbeZr26. They would then use the GitHub Shop's Yubikey page at https://thegithubshop.com/products/github-branded-yubikey?_pos=1&_sid=4893867a7&_ss=r. We have step-by-step instructions for getting a Yubikey key at https://github.com/ossf/great-mfa-project/blob/main/getting-yubikey-token-from-github.md.
To qualify, each token recipient must:
- Be a maintainer or contributor to this critical open source software (OSS) project, or to another OSS project that this project depends on (the dependency may be indirect).
- Try to use an MFA token to secure their GitHub Account once they receive the token. We'd like recipients to use MFA tokens from then on, but at least try.
- Not reuse the token between different people (the token must not be shared).
- Consider providing feedback to us (so we can try to fix problems).
We also need each project that receives coupon codes and/or validation codes to tell us these numbers (preferably within 30 days of getting the codes):
- How many tokens did you distribute from just Google? From just GitHub?
- How many people received tokens from just Google? From just GitHub? From both?
- How many people didn’t have hardware tokens they used for OSS who received tokens from just Google? From just GitHub? From both?
The people you sent the coupon and validation codes to should be able to tell you this! We need this information so we can tell others some simple measures of success. We don't need the names of any individuals.
Please note that the tokens are shipped from the US, so while they can be shipped internationally, we can't ship somewhere if that is forbidden (sanctioned) under US law as listed on https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information. So unless rules change we can't ship them to China, Afghanistan, Russia, Ukraine, North Korea, Iran, Sudan, and Syria. Sorry about that. Google Titan keys are purchased directly from the store and are only available in select regions listed on https://cloud.google.com/titan-security-key#section-5.
We provide how-tos and other information at the "Great Multi-Factor Authentication (MFA) Distribution Project" site: https://github.com/ossf/great-mfa-project