Requiring 2FA for Jupyter GitHub Orgs

[rpwagner]

Hi,

I’m touching base on behalf of the Security Subproject about the goal to have 2FA enabled for all the Jupyter GitHub orgs by the end of September.

Let us know if you would like help contacting any of your members without 2FA, or figuring out a process for jupyter-widgets. I, or someone else, on the Security Subproject would be glad to join one of your team meetings to discuss the least disruptive way to get this done for your GitHub org. We also invite anyone interested to join our Security Subproject meetings.

How to do this for your org and contributors will depend on several things. Here are some suggestions to get started:

• Try to avoid publicly disclosing any GitHub usernames without 2FA.
• Remember: Access can always be restored. If you remove someone’s access it can be returned once they enable 2FA.
• Start by reviewing the critical accounts, namely GitHub organization or repository owners and admins. Encourage them to enable 2FA since these have the highest risk if they were compromised.
• After these high-risk accounts, review the accounts that have access to only a few repos and haven’t been active in a while (interns, occasional contributors, etc.). Consider removing their access and then sending them an email explaining why, and offering to restore access when they have 2FA enabled and are ready to contribute, again.
• For the rest of your members, you can send links to the Jupyter Blog post or Discourse topic.

We appreciate your time and effort to help improve the trust the Jupyter Community has in our work.

Once one of the jupyter-widgets GitHub org owners has enabled 2FA, we’d appreciate an update, either on this issue, or as an email to security@ipython.org.

Many thanks!

–Rick & @rcthomas

P.S. I'll be posting this on a few team-compass repos today, so apologies to those of you who contribute to many areas.