Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2FA for the entire org #301

Closed
Trott opened this issue Jul 23, 2017 · 61 comments
Closed

2FA for the entire org #301

Trott opened this issue Jul 23, 2017 · 61 comments

Comments

@Trott
Copy link
Member

Trott commented Jul 23, 2017

Is there TSC consensus on step 1 below?

  1. TSC requests that every new org member have 2FA enabled prior to being added.
  2. Email to members requesting they enable 2FA, explaining why.
  3. After a month or two or six, ask org members generally (and the website team specifically) to provide feedback as to whether this requirement has been harmful, beneficial, or neither.
  4. Based on the information provided by org members, TSC weighs whether the benefits of 2FA for the entire org outweigh the downsides. If (as I expect) the benefits outweigh downsides, set a date to enable 2FA for the entire org and announce it. If the challenges caused by enabling 2FA outweigh the benefits, then the TSC should rescind the request in 1 above.

It seems like step 2 and step 3 would not need TSC buy-in. Of course, step 4 would.

/cc @ChALkeR

@rvagg
Copy link
Member

rvagg commented Aug 10, 2017

Very +1 to step 1, good step toward a better state. No 2fa, no access.

wrt the rest, I'm not convinced we need it to be codified that way. Can we just collect all of the objections here and assess now based on that? We've been chasing people for this for at least a year now right? We already have some feedback and afaik none of it provides a strong point against 2fa. The benefits of 2fa stand on their own and I'd hope we could see our way clearly to agreeing whether it's good for the org or not before even progressing down that path (implicit here is that I think we've already made that assessment and voting for step 1 is an endorsement of that).

@Trott
Copy link
Member Author

Trott commented Aug 10, 2017

We've been chasing people for this for at least a year now right?

@rvagg No, that's not right. We made this A Thing for people in the collaborators team. What we're talking about here is making it A Thing org wide, which will affect hundreds more people who have never been notified about this in any way as far as I know.

@ljharb
Copy link
Member

ljharb commented Aug 10, 2017

What would the concern be though, that would be worth the lack of security?

@Trott
Copy link
Member Author

Trott commented Aug 10, 2017

What would the concern be though, that would be worth the lack of security?

@ljharb I'll let someone else answer because I'm totally in favor of 2FA everywhere. What I can tell you is that while I think most people are on board, there was not unanimity about it in a long-running previous private conversation. This issue is a direct result of that conversation. Sorry if I'm being cryptic.

@ljharb
Copy link
Member

ljharb commented Aug 10, 2017

Would it be helpful to tl;dr here any concerns about enabling it everywhere?

@MylesBorins
Copy link
Contributor

MylesBorins commented Aug 11, 2017 via email

@ljharb
Copy link
Member

ljharb commented Aug 11, 2017

Gotcha - in which countries is access to email and/or a textable cellphone number an issue?

@mhdawson
Copy link
Member

I'm +1 to Rich's suggestion for step 1. If makes progress towards the goal and will give us solid data as to whether there are concerns in implementing it repo wide. If we find people having problems when we ask them to use 2fa we can re-evaluate.

@Fishrock123
Copy link
Contributor

Agree with @mhdawson. Plus there are tools we can recommend that just 2fa from a computer, even if it is the same one. While not ideal maybe it could work as a backup.

@Trott
Copy link
Member Author

Trott commented Nov 4, 2017

Picking this up again!

Hello, @nodejs/members!

If you do not have two-factor authentication enabled on your GitHub account, would you please consider enabling it?

I'm advocating for requiring it, and it's much easier to make that case if nearly everyone already has it enabled. :-D

Thanks for your consideration!

@Trott
Copy link
Member Author

Trott commented Dec 4, 2017

(I'm removing the tsc-review label because there is TSC consensus that we should move forward with requiring 2FA.)

@Trott Trott removed the tsc-review label Dec 4, 2017
@benjamingr
Copy link
Member

Just wondering, what power do members (for being members) have?

For collaborators - someone could cause an inconvenience.

@gibfahn
Copy link
Member

gibfahn commented Dec 4, 2017

@benjamingr I think members can create teams and repos in nodejs/

@Trott
Copy link
Member Author

Trott commented Dec 4, 2017

Just wondering, what power do members (for being members) have?

@benjamingr I'll respond over in the members discussion about this subject.

@Trott
Copy link
Member Author

Trott commented Feb 1, 2018

2FA for the entire org has been enabled.

@Trott Trott closed this as completed Feb 1, 2018
@bnb
Copy link
Contributor

bnb commented Feb 1, 2018

@Trott How many members were removed because of this (assuming that's how it works).

@freenice12
Copy link

I have got a mail remove from nodejs. It notices me that enable 2FA.
Didn't check this issue as well.
So, how can i join again nodejs member?

@timdp
Copy link

timdp commented Feb 1, 2018

Yeah, that's definitely how it works. I just got my broken phone back earlier today and after an hour of use, it turned out it was still broken. As a consequence, I temporarily turned off 2FA on many of my accounts. That unfortunately coincided with the enforcement of the policy, which I fully support and which I've actually been pushing at our own company as well, by the way.

@Trott Please show some love to a guy who's been without a proper smartphone for several weeks now and let me back in. Needless to say, I've re-enabled 2FA. Sorry for the burden.

@suensummit
Copy link

@Trott @bnb @freenice12 Same here.
Is there any way to rejoin nodejs member?

@xudafeng
Copy link

xudafeng commented Feb 3, 2018

@Trott 2FA is enabled, how to rejoin nodejs org?

@Trott
Copy link
Member Author

Trott commented Feb 3, 2018

@freenice12 I've sent you an invitation to rejoin nodejs-ko team. If you have 2FA enabled, you can accept the invitation. If you don't have 2FA enabled, you can enable it first and then accept the invitation.

@Trott
Copy link
Member Author

Trott commented Feb 3, 2018

@timdb I've sent you an invitation to rejoin nodejs-nl. If you have 2FA enabled, you can accept the invitation. If you don't have 2FA enabled, you can enable it first and then accept the invitation.

@kapouer
Copy link

kapouer commented Feb 3, 2018

Same here, i've been kicked out. I enabled 2FA since. I don't need to be part of nodejs org. Maybe it's useful to remind collaborators of my involvement.

@ramimoshe
Copy link

@Trott 2FA is enabled, how to join nodejs org?

@Trott
Copy link
Member Author

Trott commented Feb 5, 2018

@kapouer It unfortunately does not appear to be a terribly active team (last commit to the nodejs-fr repo was October 2015), but I've added you. Maybe it will get going again soon. This issue was opened in October 2017: nodejs/nodejs-fr#88

@Trott
Copy link
Member Author

Trott commented Feb 5, 2018

@detailyang You should now have an invitation in GitHub for the website team. Thanks.

@Trott
Copy link
Member Author

Trott commented Feb 5, 2018

@artcygn You should now have an invitation in GitHub to rejoin nodejs-ru. Thanks.

@Trott
Copy link
Member Author

Trott commented Feb 5, 2018

@harshadsabne You should now have an invitation in GitHub to rejoin nodejs-hi. Thanks.

@Trott
Copy link
Member Author

Trott commented Feb 5, 2018

@ramimoshe Your username is not showing up as one of the usernames that was removed. If you know what team you were a member of or wish to be a member of, you can request membership.

@ram-you
Copy link

ram-you commented Feb 5, 2018

Hi @Trott , I would like to join nodejs-fr team. Thank you.

@Trott
Copy link
Member Author

Trott commented Feb 5, 2018

@ram-you Done. Everyone else: I may not honor further requests to join new localization teams pending some feedback from Community Committee about how it works these days.

@laosb
Copy link

laosb commented Mar 14, 2018

@Trott My fault for not checking my GitHub-only inbox. Is there any chance that I could rejoin?

@Trott
Copy link
Member Author

Trott commented Mar 14, 2018

@laosb You should have an invitation to nodejs-cn team again. Thanks.

@anio
Copy link

anio commented Apr 3, 2018

I have enabled 2FA. Can anyone send me an invitation?

@Trott
Copy link
Member Author

Trott commented Apr 3, 2018

@anio You should have an invitation to rejoin @nodejs/nodejs-fa (which will also add you to the Localization and members teams).

@anio
Copy link

anio commented Apr 4, 2018

@Trott Thank you!

@feross
Copy link

feross commented Apr 13, 2018

@Trott I also lost access to the org somehow. I'm not actively using it, but I did quite enjoy the badge on my profile.

@Trott
Copy link
Member Author

Trott commented Apr 13, 2018

@Trott I also lost access to the org somehow. I'm not actively using it, but I did quite enjoy the badge on my profile.

@feross I don't want to be a killjoy, but I wouldn't want someone else to add people for that reason, so I'm not going to do it myself. If there's a team or working group that you are active on or would like to be more involved with, let's get you set up that way. I can suggest some ideas if you want to hit me up in email / IRC / Twitter.

@feross
Copy link

feross commented Apr 13, 2018

@Trott Makes sense.

@benjamingr
Copy link
Member

@feross I'd like to point out that your contribution to Node is more than welcome and I'm sure there are many things you can help with :)

@No9
Copy link
Member

No9 commented Apr 13, 2018

@Trott Can you add me back into solaris and freebsd please

@Trott
Copy link
Member Author

Trott commented Apr 13, 2018

@No9 You should now have invitations for both.

@Stichoza
Copy link

Stichoza commented Apr 14, 2018

Sorry friends. @Trott, can you please add me back to nodejs-ka?
2FA configured.

@Trott
Copy link
Member Author

Trott commented Apr 14, 2018

@Stichoza OK, you now have an invitation for nodejs-ka.

@Trott
Copy link
Member Author

Trott commented Apr 14, 2018

(As an aside: I'd recommend avoiding the word "guys". It's everywhere and lots of people use it without thinking about it. But it can be perceived as excluding people. There are certainly people who don't perceive it that way, but since some people do, consider using "folks" or "people" or "everyone" or "friends" or nothing at all.)

@pin3da
Copy link

pin3da commented May 1, 2018

Hello, I just enabled the two-factor authentication. Can anyone send me an invitation? Thank you!

@Trott
Copy link
Member Author

Trott commented May 1, 2018

@pin3da Done!

@krosti
Copy link

krosti commented May 1, 2018

@Trott could you also add me to https://github.com/nodejs/nodejs-es ? (2FA already done)

@pin3da
Copy link

pin3da commented May 1, 2018

Thank you @Trott (:

@Trott
Copy link
Member Author

Trott commented May 1, 2018

@krosti You should now have an invitation waiting to be accepted in the GitHub interface.

@krosti
Copy link

krosti commented May 2, 2018

@Trott done, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests