2FA is coming to github, in particular to SageMath org. Please get ready - if you still don't use 2FA, get yourself a Ubico stick, or install pass with otp extension - or else, you'd need a smartphone to authenticate.
Cheers Dima ---------- Forwarded message --------- From: GitHub <nore...@github.com> Date: Mon, Jul 31, 2023 at 10:19 PM Subject: Users in your organization will soon be required to enable 2FA To: Dima Pasechnik <d...@pasechnik.info> [image: GitHub] Users in your organization will soon be required to enable 2FA Hey dimpase! You are receiving this notification because you are the admin of the "sagemath" organization which contains 142 users that meet the updated criteria for the two-factor authentication requirement program. Of these 142 users, 68 already have 2FA enabled. Read on to learn what that means for your users, and how to prepare. *This enrollment is not related to your organization settings or account.* It is based on the individual actions and privileges of your organization's users on GitHub.com, both within your organization and outside of it. What is GitHub's required 2FA program? GitHub is expanding the 2FA program announced last year <https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/>. When we launched this program in March <https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13>, we only included users who had published an app, Action, or Package. Starting next week, we'll ask users who have published a release of a repository or manage critical repositories to also enable 2FA. Why do these users have to enable 2FA? These users have taken an action on GitHub.com which now requires 2FA. Users in this enrollment group have created a release <https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases> or manage a critical OpenSSF repository <https://github.com/ossf/wg-securing-critical-projects>. That means, the 142 users in your organization being added to the program have created a release at least once in the past, or are administrators of an OpenSSF repository. This release may have been from one of your Organizations, in another Organization, or in their own personal repositories. In addition to the new enrollment group, we are enabling daily updates to the previous enrollment group, which included all accounts that have published an app, Action or Package. If a user publishes an app, Action, or Package for the first time, they will be enrolled in the 2FA program the next day, starting the 45-day enrollment process detailed in our March blog post <https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/#reminder-what-to-expect-if-you-are-required-to-enable-2fa>. Will any more of my members need to enable 2FA? More of your organization's members may take an action that puts them in this enrollment group or a previous one. At any time, you can review which users are required to enable 2FA by checking the People tab of your organization - it now shows users who are required to enable 2FA but have not yet done so. In the future, we'll continue to expand the set of users that require 2FA, and we'll reach out again when that occurs. You should validate if service accounts you manage are in this rollout, by reviewing their associated email inbox for notifications across the next month. For help on setting up 2FA for shared service accounts, see "Setting up 2FA for service accounts" <https://docs.github.com/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/managing-bots-and-service-accounts-with-two-factor-authentication>. Isn't SAML protection sufficient? SAML protects your organization data, but it doesn't stop an attacker from accessing your users' personal accounts. These accounts can be contributors outside of your organization, and need to be protected as well. Making the software supply chain more secure is a team effort, and we couldn't do it without you. Your support of 2FA is an impactful step in keeping the world's software secure. Thanks, The GitHub Security Team GitHub, Inc. ・88 Colin P Kelly Jr Street ・San Francisco, CA 94107 -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/CAAWYfq054efDLnxC6U5GZHy%2BOiuAnPGGVeqzfR6i287OB4QA_g%40mail.gmail.com.
