ossf / great-mfa-project

The Great Multi-Factor Authentication (MFA) Distribution Project of the Open Source Security Foundation (OpenSSF). We work to distribute hardware MFA tokens to critical open source software (OSS) projects.
Other
53 stars 14 forks source link

The Great MFA Distribution Project

Welcome to the Great MFA Distribution Project (great-mfa-project). The goal of this project is to:

  1. Promote the use of multi-factor authentication (MFA) through out all stages of Open Source Software (OSS) development
  2. Distribute MFA tokens to some developers of critical OSS, and
  3. Provide or point to information to help people easily use MFA tokens.

The OpenSSF is working with Google and GitHub who have generously offered to provide and distribute MFA tokens. Thank you!

MFA tokens, also called keys or fobs, are hardware devices specifically for authentication. These MFA tokens can be used in many applications in a developer's workflow. They help provide higher degrees of validation for a developer's identity when logging into code repositories or applications, or performing critical tasks such as signing code. Attackers generally find it much harder to take over an account authenticated with an MFA token compared to an account authenticated with only a password; see why we are doing this for more information.

How do I get an MFA token?

If your open source software (OSS) project has been notified that you're getting a free token from us, you'll receive a Google coupon code or a GitHub validation code. Here are step-by-step instructions:

If you contribute to an OSS project and were not contacted during our first round of token distribution, please reach out to our Working Group for more information.

Currently the tokens are shipped from the US. They are shipped internationally but that is subject to various limitations. See the invitation.md for more information.

The OpenSSF cares about privacy and does not get detailed lists of who gets every token; we only get aggregate values (per-project Google tokens and aggregate totals from GitHub).

How do I use an MFA token?

For some simple instructions on how to use MFA tokens for common OSS situations see our Token Usage Guide.

How we're doing this

Here is our basic plan:

Note: Organizational affiliations are only shown to clarify who we mean.

We've taken some steps to make sure this does not turn into the "world's best supply chain attack". See our security rationale. We also want to ensure this isn't just a "token effort". You can see the now-obsolete draft document The Great MFA Distribution Plan if you want to see more detail.

Why are we doing this?

Why do this? Our goal is to prevent supply chain attacks involving weak or compromised credentials of developers of open source software.

Over the last several years Open Source Software has become critical upstream components of many aspects of software and applications that are used the world-over. Along with this increase in use, so has the potential for malicious actors to exploit the amazing work OSS communities develop each day.

The "Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attack" by Ohm et al noted that this is one way to subvert OSS, e.g., its source code (in a forge) or its package (in a package repository). Here are examples:

MFA tokens don't counter all attacks (such as typosquatting). Also the hardware tokens should not be left unguarded in untrusted spaces as there are known side-channel attacks existing against hardware tokens. Still, by using tools such as Multi-factor Authentication, the likelihood that bad actors will be able to violate the integrity of that open source supply chain is greatly reduced.

This will increase the level of security and protection for your project immensely, but use your common sense.

Why not use an authentication app instead?

An authentication app (such as Authy) running on a mobile phone is often stronger against attack than a simple password. So if you're using one, that's great!

However, hardware tokens are stronger still against attack. Authentication apps are easier to "take over" than a hardware token because the underlying system (the phone/computer hardware and its operating system) is shared with other apps. Those other apps may have unintentional vulnerabilities or embedded malicious code that can be used to steal the keys underlying the authentication app. In contrast, hardware tokens are single-purpose so far fewer attacks work against them.

How were critical OSS projects selected?

For our purposes, a critical OSS project is an OSS project that can have an especially large impact if it has a significant unintentional vulnerability, or if it is subverted in either its source repository or distribution package(s). There are literally millions of open source software (OSS) projects today, making it difficult to create a focused list of "critical OSS projects".

The list of critical OSS projects was developed for the Great MFA Distribution Project by the OpenSSF Securing Critical Projects Working Group (WG). This OpenSSF working group has been specifically working on this problem!

There are many ways to identify "critical" projects, so the Securing Critical Projects WG combined the results of several different analyses (the analyses are also called "Selection Criteria"), The WG then used human group review of this combined set of top candidates to create a final defensible list. The analyses ("selection criteria") for identifying candidate critical OSS projects included:

Every method for identify critical OSS projects has its strengths and weaknesses; we believe the combination of analysis combined with human review is better than trying to do any one of them. For example, high criticality score tends to emphasize very busy projects; human review can remove projects that are busy but for whatever reason are less critical. Some projects are very important yet not active; by using other measures (not just the OpenSSF criticality score) we can still identify them.

We have no doubt that other OSS projects will be added to the critical OSS projects list over time. If you're interested in helping to do that, please join the Securing Critical Projects WG.

Here is the list of critical OSS projects and who will be notifying them from the Great MFA Distribution Project. that this list of projects is the same as the list of critical OSS projects identified by the critical projects WG by 2021-12-02. We're currently using the version as of 2021-12-02, because the Google coupon codes expire on 2021-12-31. Even if they didn't expire, though, we think it's wiser to quickly get tokens we have available to critical projects. The sooner the tokens start getting used by developers, the sooner we counter some attacks on critical projects.

Background information

Some will refer to these as "two-factor authentication" (2FA) tokens, however, for various reasons we're using the term "MFA" instead.

The Great MFA Distribution Project is a project of the Linux Foundation's Open Source Security Foundation (OpenSSF) within its Best Practices Working Group. Discussions are held within that working group's mailing list and online meetings.

All documents, including any improvements, are released under the Creative Commons Attribution (CC BY) license.