[Qgis-psc] Fwd: Users in your organization will soon be required to enable 2FA

Richard Duivenvoorde rdmailings at duif.net
Wed Aug 16 04:44:23 PDT 2023 

Hi,

FYI

We (Github admin's) received the mail below.

If I understand correctly, because QGIS org/project has a certain weight, users committing to repos of qgis.org have to enable 2FA, or loose access to the qgis repos

I see a lot of people who have not enabled 2FA yet (myself I just did it 10 seconds ago).

I'm pretty sure they will get a personal notice from github too, but thought to let you all know of this mail.

Regards,

Richard Duivenvoorde




-------- Forwarded Message --------
Subject: 	Users in your organization will soon be required to enable 2FA
Date: 	Mon, 14 Aug 2023 11:38:26 -0700
From: 	GitHub <noreply at github.com>
To: 	Richard Duivenvoorde <richard at duif.net>



GitHub


     Some users in your organization will soon be required to enable 2FA

Hey rduivenvoorde!

You are receiving this notification because you are the admin of the "qgis" organization. In your organization there are 51 users that meet the updated criteria for the two-factor authentication requirement program. Of these 51 users, 24 already have 2FA enabled, and will not be allowed to disable it. The rest will be required to enable it over a 45-day period. Read on to learn what that means for your users, and how to prepare.

*This enrollment is not related to your organization account or its settings.* It is based on the individual actions and privileges of your organization's users on GitHub.com, both within your organization and outside of it.


     What is GitHub's required 2FA program?

GitHub is expanding the 2FA program announced last year <https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/>. When we launched this program in March <https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13>, we only included users who had published an app, Action, or Package. Starting today, we'll ask users who have published a release of a repository or manage critical repositories to also enable 2FA.


     When do these users have to enable 2FA?

Users will be contacted over the next month, recieving emails and notification banners on GitHub.com. They have 45 days, starting from the day they are notified, to enable 2FA. The first third of users will be contacted today.

To learn more about the enrollment process, see our March blog post <https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/#reminder-what-to-expect-if-you-are-required-to-enable-2fa> about the timeline.


     Why do these users have to enable 2FA?

These users have taken an action on GitHub.com which now requires 2FA.

Users in this enrollment group have created a release <https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases> or manage a critical OpenSSF repository <https://github.com/ossf/wg-securing-critical-projects>. That means, the 51 users in your organization being added to the program have created a release at least once in the past, or are administrators of an OpenSSF repository. This release may have been from one of your Organizations, in another Organization, or in their own personal repositories.

In addition to the new enrollment group, we have enabled daily updates to the previous enrollment group, which included all accounts that have published an app, Action or Package. If a user publishes an app, Action, or Package for the first time, they will be enrolled in the 2FA program the next day, starting the 45-day enrollment process detailed in our March blog post <https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/#reminder-what-to-expect-if-you-are-required-to-enable-2fa>.


     Will any more of my members need to enable 2FA?

More of your organization's members may take an action that puts them in this enrollment group or a previous one. At any time, you can review which users are required to enable 2FA by checking the People tab of your organization - it now shows users who are required to enable 2FA but have not yet done so. In the future, we'll continue to expand the set of users that require 2FA, and we'll reach out again when that occurs.

You should validate if service accounts you manage are in this rollout, by reviewing their associated email inbox for notifications across the next month. For help on setting up 2FA for shared service accounts, see "Setting up 2FA for service accounts" <https://docs.github.com/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/managing-bots-and-service-accounts-with-two-factor-authentication>.


     Isn't SAML protection sufficient?

SAML protects your organization data, but it doesn't stop an attacker from accessing your users' personal accounts. These accounts can be contributors outside of your organization, and need to be protected as well.

Making the software supply chain more secure is a team effort, and we couldn't do it without you. Your support of 2FA is an impactful step in keeping the world's software secure.

Thanks,
The GitHub Security Team

	

GitHub, Inc. ・88 Colin P Kelly Jr Street ・San Francisco, CA 94107

More information about the QGIS-PSC mailing list