Thanks for bringing up this issue Luca! I am 100% in favor of enforcing 2 factor auth for the org.
On Thu, Mar 30, 2017 at 7:15 AM Harald Achitz <[email protected]> wrote: > As a user: please make it an requirement for write access to have 2factor > auth. > > Thanks for having this idea and doing this initiative! > > Regards > Harald > send from my fairphone > > On Mar 30, 2017 12:37 PM, "Luca Boccassi" <[email protected]> wrote: > > Hello all, > > There have been news recently of attacks targeting developers using > Github, and whose account is part of organizations [1]. > > Github has been offering 2 factor authentication [2] for quite some > time now, with options including a free TOTP phone app like the Google > Authenticator or inexpensive U2F hardware tokens. > > It is well known that having 2FA enabled greatly reduced the chance of > having an account compromised, and the damage in case it happens. > Dragnet-style attacks become much less effective, and directly targeted > attack to compromise both a machine and a token have to be deployed in > order to be effective. It is simply put, a really good idea to use 2FA. > > In the Github ZeroMQ Org we have 114 members, of which 35 have admin > permissions. > Of the 114 members, 59 do NOT have 2FA enabled. Of the 35 owners, 15 do > NOT have 2FA enabled. > > In case one of the members (especially an admin) had the account > compromised, real damage could be caused. > > So I would like to propose to enforce the use of 2FA, starting with the > admin accounts [3]. I can email the individual accounts asking to do > so, in case they do not monitor the mailing list. > > What do you think? Any objections? > > Kind regards, > Luca Boccassi > > [1] > https://arstechnica.com/security/2017/03/someone-is-putting-lots-of-work-into-hacking-github-developers/ > [2] https://help.github.com/articles/about-two-factor-authentication/ > [3] Github has a setting to make it mandatory for an organization, but > I'm not proposing to use that just now, as it will automatically kick > anyone who does not have 2FA, which is too extreme and not necessary at > the moment. > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
