search

bevry-archive / meta

Superseded by the Bevry discussion forum: https://discuss.bevry.me
3 stars 0 forks source link

Enabling 2FA on all bevry organisation members #28

Closed balupton closed 6 years ago

balupton commented 6 years ago

On one of the organisations I am part of (not bevry related) had a member account compromised by what seems like a malicious script. I would like to take precautions to protect the bevry ecosystem (which has millions of downloads a month).

As such, I wish to enable the GitHub feature that requires all organisation members to have 2FA enabled. To enable this feature, all organisation members must use 2FA auth on their GitHub accounts, or be removed from the organisation.

Here are the members without 2FA enabled, of which I am requesting to enable it, or note that you won't, so I can remove you.

Setting the deadline fo this to be 7 days from now. So 29th June.

Bevry members

DocPad members

BrowserState members

You can enable 2FA on GitHub via: https://github.com/settings/security

The common options for setting up 2FA auth that I've encountered are:

jaspervdj commented 6 years ago

I am only involved in @bevry because I was the original maintainer of the static site generators list. I'd like to step down since I'm not actively involved anymore and I don't need access to any of the repositories. :-)

dertuxmalwieder commented 6 years ago

As if that would make that much of a difference...

Enabled 2FA anyway - it might be handy after all.

balupton commented 6 years ago

As if that would make that much of a difference...

From a scripts perspective, it no longer allows username/password combinations - only personal access tokens, which are less likely to be reused across services and logged by malware, and which help identify where the compromise occurred.

Enabled 2FA anyway - it might be handy after all.

cheers

I am only involved in @bevry because I was the original maintainer of the static site generators list. I'd like to step down since I'm not actively involved anymore and I don't need access to any of the repositories. :-)

no worries :-)

balupton commented 6 years ago

Thanks everyone who enabled 2FA. Hope to see the others again at some point.

Removed everyone's usernames from the original post now that the deadline has passed.