Following our recent post on “Safeguards and Backups for GitHub Organizations”, nearly one month ago we went one step further and made two-factor authentication (2FA) required for all members and outside collaborators of our main organization,
It was a timely decision as GitHub since then announced it will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
Here is how (and why) we went about it.
Why (not) require 2FA?
We used to only require two-factor authentication of organization owners (which is not an actual setting of GitHub, just a rule we set for ourselves).
However, requiring 2FA for the whole organization seemed like a logical step towards more security.
Hopefully it also inspires more 2FA adoption beyond the
ropensci organization as new adopters of the setting can tell their collaborators about it.
When one starts requiring 2FA for an organization, all members and outside collaborators who have not enabled it are removed from the organization and receive a notification from GitHub.
One aspect we pondered was whether it’d be potentially unfair to require 2FA. Many 2FA systems rely on the user having a mobile device, which could be a barrier for some. However, GitHub provides many different 2FA methods (not only those requiring a mobile device), so in the end we decided to go for it, but to make careful note of feedback from organization members and collaborators.
Communicating the change in advance
As recommended in GitHub docs, we communicated about the change in advance, sending emails to all organization members and outside collaborators without 2FA two weeks before the switch. This was meant to ensure that as few people as possible lost access to their repositories.
Email addresses were collected via the GitHub API, and for those who do not have a public email address on GitHub, using a search engine as well as email addresses used for recent commits. 🕵️ Taking the time to do so was also crucial to, again, remove as few people as possible from the organization.
We sent emails using the gmailr package. We manually went through automatic responses to decide action (e.g. scheduling a new email after someone was back from vacation, looking for a newer email address).
Here’s the text we used:
Dear ropensci GitHub organization member, To increase the security of the `ropensci` GitHub organization, we plan to make two-factor authentication ("2FA") required for members on April 18th. On this date, you will lose access to any ropensci GitHub repository you previously had access to. Docs: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication Obviously we encourage anyone to enable 2FA if you had not done so yet. Please email me or [email protected] if you have: - any question regarding 2FA, - enabled 2FA after April 18th and would like to added back. I will be glad to help! Thanks and best wishes, > Maëlle on behalf of the rOpenSci team.
With the subject
[Action required] Enable GitHub Two-Factor Authentication to Preserve Access.
We also posted a message about the change in our Slack workspace, as well as quite a few Slack DMs in particular to package maintainers.
Note that we actually had to send two emails as we first misread the documentation and thought members could become outside collaborators without 2FA. That’s not true! 😅 Thanks to organization members and outside collaborators for their patience. 🙏
Viewing people removed from the organization
To see respectively removed organization members and collaborators, as organization owners we were able to use the URLs
Before confirming the 2FA requirement, GitHub actually shows you which members you are about to remove from the organization. We went ahead anyway as we assumed the GitHub notification might reach some of them better than our previous email, and as the removal of people is reversible as soon as they have enabled 2FA.
Re-instating organization members
After we pulled the switch on April 19th, a few people reached out to tell us they had enabled 2FA. It was straightforward to add them back to the organization as GitHub lets you choose to re-instate an organization member within three months of their removal, so they get added to the teams and repos they used to belong to. We strove to re-instate people timely.
If you were an organization member or outside collaborator who was removed from the organization, please reach out to us if you have enabled 2FA and would like to be reinstated, or if you have any question about 2FA.
Two-factor authentication is now required for our main GitHub organization. It was a change made for the best for most people, but which might have created some pain and frustration for a few people depending on when they got the notification. We thank everyone for their collaboration and understanding.
As a further GitHub security step for us and you, dear reader, let’s mention
- pruning repositories from former, now inactive, collaborators (docs for personal repos, for repos hosted in organizations);
- pruning apps installed from personal accounts and from organizations;
- a recent GitHub post “5 simple things every developer can do to ship more secure code””.
And more generally, we recommend the article Ten quick tips for staying safe online by Danielle Smalls and Greg Wilson.