[zeromq-dev] ZeroMQ Github Org and 2-factor authentication

Brian Knox bknox at digitalocean.com
Thu Mar 30 13:38:29 CEST 2017


Thanks for bringing up this issue Luca! I am 100% in favor of enforcing 2
factor auth for the org.

On Thu, Mar 30, 2017 at 7:15 AM Harald Achitz <harald.achitz at gmail.com>
wrote:

> As a user: please​ make it an requirement for write access to have 2factor
> auth.
>
> Thanks for having this idea and doing this initiative!
>
> Regards
> Harald
> send from my fairphone
>
> On Mar 30, 2017 12:37 PM, "Luca Boccassi" <luca.boccassi at gmail.com> wrote:
>
> Hello all,
>
> There have been news recently of attacks targeting developers using
> Github, and whose account is part of organizations [1].
>
> Github has been offering 2 factor authentication [2] for quite some
> time now, with options including a free TOTP phone app like the Google
> Authenticator or inexpensive U2F hardware tokens.
>
> It is well known that having 2FA enabled greatly reduced the chance of
> having an account compromised, and the damage in case it happens.
> Dragnet-style attacks become much less effective, and directly targeted
> attack to compromise both a machine and a token have to be deployed in
> order to be effective. It is simply put, a really good idea to use 2FA.
>
> In the Github ZeroMQ Org we have 114 members, of which 35 have admin
> permissions.
> Of the 114 members, 59 do NOT have 2FA enabled. Of the 35 owners, 15 do
> NOT have 2FA enabled.
>
> In case one of the members (especially an admin) had the account
> compromised, real damage could be caused.
>
> So I would like to propose to enforce the use of 2FA, starting with the
> admin accounts [3]. I can email the individual accounts asking to do
> so, in case they do not monitor the mailing list.
>
> What do you think? Any objections?
>
> Kind regards,
> Luca Boccassi
>
> [1]
> https://arstechnica.com/security/2017/03/someone-is-putting-lots-of-work-into-hacking-github-developers/
> [2] https://help.github.com/articles/about-two-factor-authentication/
> [3] Github has a setting to make it mandatory for an organization, but
> I'm not proposing to use that just now, as it will automatically kick
> anyone who does not have 2FA, which is too extreme and not necessary at
> the moment.
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20170330/dc7eca0b/attachment.htm>


More information about the zeromq-dev mailing list