Re: Requiring 2FA for Github Accounts in OCA


Jason Keirstead
 

FWIW it is debatable if hardware key is any more secure than properly used TOTP (a-la Google/Microsoft/Authy Authenticator etc)

Github also supports full FIDO so you can use your Mac or Windows fingerprint reader, you can use Windows Hello (Face ID), etc etc....
 
-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security
Declare an Emergency: USA +1 888 241 9812, Global +1 312 212 8034
 
Assistant - Mauricio Durán Cambronero (mauduran@...)

Co-Chair - Open Cybersecurity Alliance, Project Governing Board
www.opencybersecurityalliance.org
 
 
 

----- Original message -----
From: "sfractal" <duncan@...>
Sent by: oca-pgb@...
To: "oca-pgb@..." <oca-pgb@...>
Cc: "chet.ensign@..." <chet.ensign@...>, "claudia.rauch@..." <claudia.rauch@...>
Subject: [EXTERNAL] Re: [oca-pgb] Requiring 2FA for Github Accounts in OCA
Date: Thu, Jan 13, 2022 4:39 PM
 
I’m fine with 2FA since I already have it on my github account (although it’s the less secure text message one, not the fancy yubikey which I probably should get). -- Duncan Sparrell sFractal Consulting LLC ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd

I’m fine with 2FA since I already have it on my github account (although it’s the less secure text message one, not the fancy yubikey which I probably should get).

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Mark Mastrangeli via lists.oasis-open-projects.org <mark.mastrangeli=tenzir.com@...>
Date: Thursday, January 13, 2022 at 3:28 PM
To: oca-pgb@... <oca-pgb@...>
Cc: chet.ensign@... <chet.ensign@...>, claudia.rauch@... <claudia.rauch@...>
Subject: Re: [oca-pgb] Requiring 2FA for Github Accounts in OCA

I concur. 

 

I am implementing this in my company now. We are using Yubikey. 

 

On Thu, Jan 13, 2022 at 12:18 PM Jason Keirstead <Jason.Keirstead@...> wrote:

Hello everyone; 


I would like to propose that the OCA require everyone in our Gitub organization to have 2FA enabled.

 

This is a setting available on Github and in 2022 it should be considered best practice. There are a multitude of free and widely available options for 2FA on Github.


Does anyone have any reason we should not turn this on?

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

Declare an Emergency: USA +1 888 241 9812, Global +1 312 212 8034

 

Assistant - Mauricio Durán Cambronero (mauduran@...)


Co-Chair - Open Cybersecurity Alliance, Project Governing Board

 


 

--

Best Regards,

 

Mark Mastrangeli 

Direct: +1 (214) 991-7675

 

 


Join oca-pgb@lists.oasis-open-projects.org to automatically receive all group messages.