[zeromq-dev] ZeroMQ Github Org and 2-factor authentication

Luca Boccassi luca.boccassi at gmail.com
Thu Mar 30 12:36:02 CEST 2017


Hello all,

There have been news recently of attacks targeting developers using
Github, and whose account is part of organizations [1].

Github has been offering 2 factor authentication [2] for quite some
time now, with options including a free TOTP phone app like the Google
Authenticator or inexpensive U2F hardware tokens.

It is well known that having 2FA enabled greatly reduced the chance of
having an account compromised, and the damage in case it happens.
Dragnet-style attacks become much less effective, and directly targeted
attack to compromise both a machine and a token have to be deployed in
order to be effective. It is simply put, a really good idea to use 2FA.

In the Github ZeroMQ Org we have 114 members, of which 35 have admin
permissions.
Of the 114 members, 59 do NOT have 2FA enabled. Of the 35 owners, 15 do
NOT have 2FA enabled.

In case one of the members (especially an admin) had the account
compromised, real damage could be caused.

So I would like to propose to enforce the use of 2FA, starting with the
admin accounts [3]. I can email the individual accounts asking to do
so, in case they do not monitor the mailing list.

What do you think? Any objections?

Kind regards,
Luca Boccassi

[1] https://arstechnica.com/security/2017/03/someone-is-putting-lots-of-work-into-hacking-github-developers/
[2] https://help.github.com/articles/about-two-factor-authentication/
[3] Github has a setting to make it mandatory for an organization, but
I'm not proposing to use that just now, as it will automatically kick
anyone who does not have 2FA, which is too extreme and not necessary at
the moment.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20170330/62aa1c0d/attachment.sig>


More information about the zeromq-dev mailing list