search

zowe / zac

Zowe Leadership Committee collaboration
Creative Commons Attribution 4.0 International
13 stars 14 forks source link

Turn on "Require two-factor authentication for everyone in the Zowe organization." #96

Closed jmertic closed 4 years ago

jmertic commented 5 years ago

LF IT reviewed that this setting wasn't on and strongly recommended that the project do this for security reasons.

Thinking if the ZLC is good with this, we could have a 30 day grace period and then flip it on. Thoughts?

hogstrom commented 5 years ago

+1 from me.

armstro commented 5 years ago

I'd like to know more about how this would be implemented before voting.......would it involve use of just a second email address to confirm identity, personal cell, DNA sample?

jmertic commented 5 years ago

Check out this...

https://help.github.com/en/articles/securing-your-account-with-two-factor-authentication-2fa

Thank you,

John Mertic Director of Program Management - Linux Foundation ASWF, ODPi, and Open Mainframe Project jmertic@linuxfoundation.org +1 234-738-4571 Schedule time with me at https://calendly.com/jmertic

On Thu, May 2, 2019 at 7:13 AM armstro notifications@github.com wrote:

I'd like to know more about how this would be implemented before voting.......would it involve use of just a second email address to confirm identity, personal cell, DNA sample?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zowe/zlc/issues/96#issuecomment-488634297, or mute the thread https://github.com/notifications/unsubscribe-auth/AACIOIN6F2K5LAJKZRK4DGTPTLEFDANCNFSM4HJTR3IA .

1000TurquoisePogs commented 5 years ago

-1 for me. 2FA can be nice, if the auth types are nice. Github appears to only have a few, and they all have issues.

  1. Phone number, which is great up until there's yet another leak and now robocallers have my phone number again
  2. authy: requires my phone number, so the same
  3. 1password: not free
  4. lastpass authenticator: doesn't work on android without google services framework, which is proprietary.

Edit: Actually, there are other TOTP-compatible apps that are open source. I tried one out (Aegis) which worked, but here's a few: https://search.f-droid.org/?q=totp&lang=en

jmertic commented 5 years ago

@1000TurquoisePogs So is the tooling the main issue for you? I think you pointed out there are a ton of open/proprietary solutions ( as well as hardware and software ) which provides flexibility.

I think the big thing is, we want to ensure everyone's accounts are secure, especially if you have committer access. 2FA is extremely common these days - most LF projects have this requirement and it's usually quite welcomed and encouraged by the community,

jmertic commented 5 years ago

I'll also note it's part of the CII badge at the Gold level:

https://bestpractices.coreinfrastructure.org/en/projects/2226?criteria_level=2#changecontrol

hogstrom commented 5 years ago

Need to write up a recommendation to start ... for example - Sean to compile the initial list

jmertic commented 5 years ago

@hogstrom When can we flip this on?

hogstrom commented 4 years ago

Complete