Require 2FA for pgRouting Github members

[dkastl]

These days it's good practice to use multi-factor authentication like 2FA to better secure accounts for webservices like Github. When pgRouting org on Github was created 2FA did not exist yet, but when I create a new organization now I always make 2FA mandatory for organization members.

In my opinion this is necessary, because we are in some way responsible for the code we publish, and lots of distributions and packagers build pgRouting for their platforms when we publish a new release.

It would be a serious problem, if malicious code would make it into a package, that people install with admin permissions.
2FA is one possibility to make it more difficult for something like this to happen.

However, there is a problem: 21 members of pgRouting would be removed, if 2FA would be enforced today:

I think this number is high and unfortunately there are also active contributors on this list.

I would like to encourage everyone to enable 2FA for your Github account, so we can secure this organization better.

Feel free to comment, if you are not comfortable with using 2FA: @pgRouting/admins @pgRouting/gsoc @pgRouting/osm2pgrouting @pgRouting/pgroutinglayer

[cayetanobv]

I agree @dkastl . It's a good and necessary practice these days. I have 2FA in my company's repository.

[dkastl]

Thanks @cayetanobv , I also make this mandatory for the company where it can be done for new services. The problem are things like pgRouting, which exist for so long time. And enforcing 2FA will cause 21 members to be removed from the organization. I hope this issue will lower the number ;-)

[cvvergara]

Members to be informed about 2FA

• @mbasa mbasa Mario Basa
• @antonpa antonpa
• @anitagraser anitagraser Anita Graser
• @woodbri woodbri Stephen Woodbridge
• @zibon zibon Khondoker Md. Razequl Islam
• @rohithsankepally rohithsankepally Rohith Reddy Sankepally
• @nike0good nike0good Hang Wu
• @robe2 robe2 Regina Obe
• @AasheeshT AasheeshT Aasheesh Tiwari
• @sarthak0415 sarthak0415 Sarthak agarwal
• @iboates iboates Isaac Boates
• @codeSG codeSG Sourabh Garg
• @thisisashukla thisisashukla Ankur Shukla
• @vicennial vicennial Gvs Akhil
• @XJTUmg XJTUmg Maoguang Wang
• @apslight apslight Aditya Pratap Singh
• @rajhim2 rajhim2 Himanshu Raj
• @MarPetra MarPetra
• @prakashupes prakashupes Prakash Tiwari
• @omshinde omshinde Rajat Shinde

[omshinde]

Hi pgRouting Team! Thanks for starting this discussion. I completely agree with the idea of enabling 2FA. I have updated my personal settings to enable 2FA on my account. Thanks!

[dkastl]

Hmm, response is really slow regarding this issue, so either enabling 2FA is a very bothersome task ... or notifications do not reach affected users.

Anyway, let's wait another three days and then enable 2FA. Those who will be removed from the organization can re-apply or just use pull requests if necessary.

[dkastl]

Final call to enable 2FA!
Here is a link to the documentation: https://docs.github.com/en/github/authenticating-to-github/configuring-two-factor-authentication

[dkastl]

@cvvergara , OK to enable it?
This will remove at the moment 15 people from some pgRouting team, however:

• it does not prevent anyone to continue filing issues or submit pull requests
• it will probably remove mostly inactive members
• we can add anyone again on request

But I would like to get this done.

[robe2]

@dkastl I'm okay with this change since I don't make any direct commits to pgRouting. Unfortunately the way Github has implemented 2-factor authentication requires me to use my cell phone which I have off most of the time. Given I never commit anything directly to GitHub it's a bit too annoying for my needs. I'll just do pull requests as needed.

[dkastl]

Thanks @robe2 , I actually didn't know about this mobile phone requirement, but also heard from @mbasa about this. I only find 2FA with AWS very annoying, but with Github I have some Yubikeys as well as a 2FA app registered and I can't remember to ever be asked for my mobile phone. In general Github only asks me very rarely to login again, and when I need to confirm some actions the password is always an option.

[robe2]

But with Github I have some Yubikeys as well as a 2FA app registered

How does the YubiKey thing work -- you still need a 2FA app with it and if so which one do you use. I assume that might work for me as I just want a hardware device to plug into my computer and not have to ever use my cell phone for anything. Other 2-factor tools have an option to call a landline so I use that for many of my other 2FA requirements, and yah Amazon 2FA is extremely painful.

[dkastl]

Yubikey is usually a USB key. Also Google sells something similar. There are types with NFC to also work with a smartphone, but I do not work on github with my phone, so I don't need this ;-)

Personally I always try to have a few alternatives not to lock myself out, like:

• a hardware key
• a MFA app like Authy
• paper key as the last resort

... well and as a different project I'm currently working on this: https://consento.org/ ... so in the future hopefully you can do 2FA with people you trust ;-)

[cvvergara]

@cvvergara , OK to enable it?
This will remove at the moment 15 people from some pgRouting team, however:

* it does not prevent anyone to continue filing issues or submit pull requests

* it will probably remove mostly inactive members

* we can add anyone again on request

But I would like to get this done.

OK

[cvvergara]

So from active members,
dkastl is OK
robe2 is OK
cvvergara is OK
Rohith hasn't participated on decisions lately
So general vote is OK

[dkastl]

Since this is open for a while already, I will proceed to enforce 2FA and anyone who wants to be added back, please enable 2FA and let me know.