Requiring 2FA for Jupyter GitHub Orgs

[rpwagner]

Problem

GitHub accounts without 2FA are at higher risk of compromise. This could impact the integrity of the source code, or even disrupt access to GitHub.

Proposed Solution

Make 2FA a requirement at the GitHub organization level.

Additional context

Hi,

We're touching base on behalf of the Security Subproject about the goal to have 2FA enabled for all the Jupyter GitHub orgs by the end of September.

Let us know if you would like help contacting any of your members without 2FA, or figuring out a process for jupyter-server. Someone from the Security Subproject would be glad to join one of your team meetings to discuss the least disruptive way to get this done for your GitHub org. We also invite anyone interested to join our Security Subproject meetings.

How to do this for your org and contributors will depend on several things. Here are some suggestions to get started:

• Try to avoid publicly disclosing any GitHub usernames without 2FA.
• Remember: Access can always be restored. If you remove someone’s access it can be returned once they enable 2FA.
• Start by reviewing the critical accounts, namely GitHub organization or repository owners and admins. Encourage them to enable 2FA since these have the highest risk if they were compromised.
• After these high-risk accounts, review the accounts that have access to only a few repos and haven’t been active in a while (interns, occasional contributors, etc.). Consider removing their access and then sending them an email explaining why, and offering to restore access when they have 2FA enabled and are ready to contribute, again.
• For the rest of your members, you can send links to the Jupyter Blog post or Discourse topic.

We appreciate your time and effort to help improve the trust the Jupyter Community has in our work.

Once one of the jupyter-server GitHub org owners has enabled 2FA, we’d appreciate an update, either on this issue, or as an email to security@ipython.org.

Many thanks!

–Rick & @rcthomas

P.S. This will be posted on a few team-compass repos today, so apologies to those of you who contribute to many areas.

[welcome[bot]]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

[kevin-bates]

Hi @rpwagner (and @rcthomas) - thank you for driving this and participating in the Jupyter Security Subproject. It's reassuring knowing that subproject exists!

We plan to enable 2FA for this organization by the end of tomorrow's (July 28) team meeting. Since there are a handful of outside collaborators w/o 2FA enabled, do you happen to have access to the e-mail text that GitHub sends automatically upon removing the collaborator as this might help our decision on whether a pre-enablement email is necessary. If we do choose to send an email prior to 2FA enablement, there are a couple of accounts that are not associated with email addresses so we may need your help with notifications. Is this something we can trigger via an email to security@ipython.org?

[rpwagner]

@kevin-bates great news that you've got a plan to enable this!

Unfortunately, we don't have the text of the email GitHub sends. Another option beside email is to reinstate their privileges right after you enable 2FA on the organization. That will send them an invite back to the org with the same access that the user can accept after they have enabled 2FA.

Otherwise, yes, we would be glad to help with the notification, and an email to security@ipython.org is a good choice. The Security Subproject has a list of the collaborators without 2FA and we can try to reach out to them.

I'll plan to attend the meeting tomorrow to help as I can and hear how it's going for you.

P.S. We're also working through this as we go, and now that we're getting into the details we're learning from the examples of other projects.

[rpwagner]

@kevin-bates & @Zsailer the email is very appropriate

[kevin-bates]

Thank you @rpwagner - this is very helpful. Given the small number of outside collaborators w/o 2FA and their low level of recent activity, I think we can go ahead and enable 2FA on the jupyter-server org.

I'll coordinate with @Zsailer for the enablement and respond back here to let you know (along with this issue's closure).

[kevin-bates]

@rpwagner - 2FA has been enabled on this organization. Thanks for all of your help. Closing issue.

[rpwagner]

Fantastic news! I appreciate that the org made this a priority and that you were able to do it smoothly.

[Zsailer]

Thanks @rpwagner and @kevin-bates!