Please turn on 2FA/MFA support on your GitHub account
In the SC meeting today we discussed requiring two-factor authentication (aka 2FA/MFA) and came away strongly considering it (but no definitive plans yet). But we did agree that we should send a quick email encouraging everyone to turn on 2FA for their GitHub Accounts regardless of what we decide to do.
GitHub's instructions can be found at https://docs.github.com/en/authentication/securing-your-account-with-two-fac... . You can use various apps on your desktop or phone as well as a physical device to manage 2FA. And to be clear, you only need access to your 2FA solution when you log in; it's not a day-to-day action at all (I personally have not used my 2FA since the last time I logged into a new device for the first time or when my GitHub account was attacked and the attackers exhausted my password attempts for the day).
For those of you who would prefer to use a hardware device and would like help getting one, we can make a request to the PSF to sponsor devices for those who want them.
On Tue, Feb 8, 2022 at 12:11 AM Brett Cannon <brett@python.org> wrote:
And to be clear, you only need access to your 2FA solution when you log in; it's not a day-to-day action at all (I personally have not used my 2FA since the last time I logged into a new device for the first time or when my GitHub account was attacked and the attackers exhausted my password attempts for the day).
Even if I'm already logged in in Firefox, GitHub requires me to prove my identity with 2FA for two actions:
- Access to the Access > Collaborators settings (add/remove people to a project)
- [Delete this repository] button: delete a whole project (code, issues, everything)
IMO it's a good thing that GitHub requires extra security for these two actions.
Victor
Night gathers, and now my watch begins. It shall not end until my death.
On 2/7/22 16:14, Victor Stinner wrote:
On Tue, Feb 8, 2022 at 12:11 AM Brett Cannon<brett@python.org> wrote:
And to be clear, you only need access to your 2FA solution when you log in; it's not a day-to-day action at all (I personally have not used my 2FA since the last time I logged into a new device for the first time or when my GitHub account was attacked and the attackers exhausted my password attempts for the day). Even if I'm already logged in in Firefox, GitHub requires me to prove my identity with 2FA for two actions:
- Access to the Access > Collaborators settings (add/remove people to a project)
- [Delete this repository] button: delete a whole project (code, issues, everything)
IMO it's a good thing that GitHub requires extra security for these two actions.
Victor
How many times a week are you doing that second one with CPython?
//arry/
When I propose a PR on a project and I don't plan to contribute more than than PR, when the PR is merged, I delete my fork. At work, I send patches to many different projects to fix some Python 3.11 compatibility issues.
It just was a general remark. If you enable 2FA on GitHub, the effect is not restricted to CPython, but affect any action on any of your projects on GitHub.
Victor
The SC has decided to move ahead and require 2FA for GitHub. Since the controls are per org, rather than per repo, this will apply to everything under the 'python' repo. We've asked Ee (the PSF's Director of Infrastructure) to start contacting accounts that don't have 2FA enabled, including bots, in preparation for this. We'll decide on an actual date we start requiring 2FA once we have a clear picture of what bots still need updating, but in the meantime I recommend everyone switch on 2FA of some kind, if you haven't already. (As mentioned before, if you want hardware tokens, the PSF can supply those.)
On Tue, Feb 8, 2022 at 12:11 AM Brett Cannon <brett@python.org> wrote:
In the SC meeting today we discussed requiring two-factor authentication (aka 2FA/MFA) and came away strongly considering it (but no definitive plans yet). But we did agree that we should send a quick email encouraging everyone to turn on 2FA for their GitHub Accounts regardless of what we decide to do.
GitHub's instructions can be found at https://docs.github.com/en/authentication/securing-your-account-with-two-fac... . You can use various apps on your desktop or phone as well as a physical device to manage 2FA. And to be clear, you only need access to your 2FA solution when you log in; it's not a day-to-day action at all (I personally have not used my 2FA since the last time I logged into a new device for the first time or when my GitHub account was attacked and the attackers exhausted my password attempts for the day).
For those of you who would prefer to use a hardware device and would like help getting one, we can make a request to the PSF to sponsor devices for those who want them.
python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-leave@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/2... Code of Conduct: https://www.python.org/psf/codeofconduct/
-- Thomas Wouters <thomas@python.org>
On Mon, Apr 18, 2022 at 6:28 PM Thomas Wouters <thomas@python.org> wrote:
The SC has decided to move ahead and require 2FA for GitHub. Since the controls are per org, rather than per repo, this will apply to everything under the 'python' repo.
I meant "everything under the 'python' org", of course, sigh.
We've asked Ee (the PSF's Director of Infrastructure) to start contacting accounts that don't have 2FA enabled, including bots, in preparation for this. We'll decide on an actual date we start requiring 2FA once we have a clear picture of what bots still need updating, but in the meantime I recommend everyone switch on 2FA of some kind, if you haven't already. (As mentioned before, if you want hardware tokens, the PSF can supply those.)
On Tue, Feb 8, 2022 at 12:11 AM Brett Cannon <brett@python.org> wrote:
In the SC meeting today we discussed requiring two-factor authentication (aka 2FA/MFA) and came away strongly considering it (but no definitive plans yet). But we did agree that we should send a quick email encouraging everyone to turn on 2FA for their GitHub Accounts regardless of what we decide to do.
GitHub's instructions can be found at https://docs.github.com/en/authentication/securing-your-account-with-two-fac... . You can use various apps on your desktop or phone as well as a physical device to manage 2FA. And to be clear, you only need access to your 2FA solution when you log in; it's not a day-to-day action at all (I personally have not used my 2FA since the last time I logged into a new device for the first time or when my GitHub account was attacked and the attackers exhausted my password attempts for the day).
For those of you who would prefer to use a hardware device and would like help getting one, we can make a request to the PSF to sponsor devices for those who want them.
python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-leave@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/2... Code of Conduct: https://www.python.org/psf/codeofconduct/
-- Thomas Wouters <thomas@python.org>
-- Thomas Wouters <thomas@python.org>
participants (4)
-
Brett Cannon -
Larry Hastings -
Thomas Wouters -
Victor Stinner