Re: [sirius-dev] Request for Enforcing Two-Factor Authentication for All

[Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx>]

Hi Pierre-Charles,

Thank you for swiftly taking care of that.

When we enforce 2FA for your organization, people without 2FA will be kicked out of the organization, so they will loose their advanced permissions on the repositories. They will still be able to contribute to issues, create PR etc... but they won't be able to write to the repositories. 

It won't change anything for them on GitHub outside of your GitHub organization. 

There is special procedure that makes it very easy for us to reinstate their access privileges and settings if they enable two-factor authentication within three months of their removal from your organization. 

You can read more details on GitHub documentation: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization#about-two-factor-authentication-for-organizations

Hope this helps.

Cheers,

Mikaël Barbero 

Head of Security | Eclipse Foundation

🐦 @mikbarbero

📅 Book an appointment

Eclipse Foundation: The Platform for Open Innovation and Collaboration

On 3 Mar 2023, at 15:45, Pierre-Charles David <pierre-charles.david@xxxxxxx> wrote:

Hi Mikael,

I'm in contact with all our committers to make sure they enable it asap, but some are unavailable at the moment.

What's the risk if we ask for enforcing this and some committers have not yet enabled 2FA? Are they immediately blocked from contributing to the project? From GitHub in general?

Cheers,
Pierre-Charles

Le 02/03/2023 à 18:52, Mikael Barbero via sirius-dev a écrit :

Dear Eclipse Sirius Team,

I am reaching out to request that your project enforces two-factor authentication (2FA) for all committers at GitHub. We, at the Eclipse Foundation, take the security of your project's code and data very seriously. Enforcing 2FA can greatly improve the security of your project and protect it from potential security breaches.

As you may know, 2FA adds an extra layer of security to the login process by requiring users to provide two forms of authentication: something they know (such as a password) and something they have (such as a security key or smartphone). This significantly reduces the risk of unauthorized access to sensitive information, as it makes it much more difficult for hackers to gain access to user accounts. With the increasing number of security breaches and cyberattacks, it is crucial for open source projects to take extra precautions to secure their code and data. Enforcing 2FA for all committers would be a simple yet effective way to enhance the security of your project. See a blog post of mine for additional details.

We understand that implementing 2FA may require some effort, but we are here to help. If you want to start enforcing it, just open a ticket on the Eclipse Foundation help desk. I can already tell you that less than 55% of committers have 2FA activated in your GitHub organization.

Finally, I would like to remind you that GitHub will eventually enforce 2FA for all projects by the end of the year. Take the lead on that and start right now!

Thank you for your time and consideration. I look forward to your response.

Cheers,

Mikaël Barbero 

Head of Security | Eclipse Foundation

🐦 @mikbarbero

📅 Book an appointment

Eclipse Foundation: The Platform for Open Innovation and Collaboration

_______________________________________________
sirius-dev mailing list
sirius-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/sirius-dev

-- 
Pierre-Charles David (Obeo)

_______________________________________________
sirius-dev mailing list
sirius-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/sirius-dev

Attachment: signature.asc
Description: Message signed with OpenPGP