[zeromq-dev] ZeroMQ Github Org and 2-factor authentication

Harald Achitz harald.achitz at gmail.com
Thu Mar 30 13:14:31 CEST 2017


As a user: please​ make it an requirement for write access to have 2factor
auth.

Thanks for having this idea and doing this initiative!

Regards
Harald
send from my fairphone

On Mar 30, 2017 12:37 PM, "Luca Boccassi" <luca.boccassi at gmail.com> wrote:

> Hello all,
>
> There have been news recently of attacks targeting developers using
> Github, and whose account is part of organizations [1].
>
> Github has been offering 2 factor authentication [2] for quite some
> time now, with options including a free TOTP phone app like the Google
> Authenticator or inexpensive U2F hardware tokens.
>
> It is well known that having 2FA enabled greatly reduced the chance of
> having an account compromised, and the damage in case it happens.
> Dragnet-style attacks become much less effective, and directly targeted
> attack to compromise both a machine and a token have to be deployed in
> order to be effective. It is simply put, a really good idea to use 2FA.
>
> In the Github ZeroMQ Org we have 114 members, of which 35 have admin
> permissions.
> Of the 114 members, 59 do NOT have 2FA enabled. Of the 35 owners, 15 do
> NOT have 2FA enabled.
>
> In case one of the members (especially an admin) had the account
> compromised, real damage could be caused.
>
> So I would like to propose to enforce the use of 2FA, starting with the
> admin accounts [3]. I can email the individual accounts asking to do
> so, in case they do not monitor the mailing list.
>
> What do you think? Any objections?
>
> Kind regards,
> Luca Boccassi
>
> [1] https://arstechnica.com/security/2017/03/someone-is-
> putting-lots-of-work-into-hacking-github-developers/
> [2] https://help.github.com/articles/about-two-factor-authentication/
> [3] Github has a setting to make it mandatory for an organization, but
> I'm not proposing to use that just now, as it will automatically kick
> anyone who does not have 2FA, which is too extreme and not necessary at
> the moment.
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20170330/cc5be2a8/attachment.htm>


More information about the zeromq-dev mailing list