[Halld-offline] [EXTERNAL] Fwd: Users in your organization will soon be required to enable 2FA

Mark Ito markito3 at gmail.com
Tue Aug 8 20:42:47 EDT 2023 

FYI...

---------- Forwarded message ---------
From: GitHub <noreply at github.com>
Date: Mon, Jul 31, 2023 at 5:18 PM
Subject: Users in your organization will soon be required to enable 2FA
To: Mark M. Ito <marki at jlab.org>



[image: GitHub] Users in your organization will soon be required to enable
2FA


Hey markito3!

You are receiving this notification because you are the admin of the
"JeffersonLab" organization which contains 90 users that meet the updated
criteria for the two-factor authentication requirement program. Of these 90
users, 28 already have 2FA enabled. Read on to learn what that means for
your users, and how to prepare.

*This enrollment is not related to your organization settings or account.*
It is based on the individual actions and privileges of your organization's
users on GitHub.com, both within your organization and outside of it.
What is GitHub's required 2FA program?

GitHub is expanding the 2FA program announced last year
<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.blog_2022-2D05-2D04-2Dsoftware-2Dsecurity-2Dstarts-2Dwith-2Dthe-2Ddeveloper-2Dsecuring-2Ddeveloper-2Daccounts-2Dwith-2D2fa_&d=DwIFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=3cXtx4crI7loig0AqSDfl6BptiIzMuYsK4smo3sYIL4&e= >.
When we launched this program in March
<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.blog_2023-2D03-2D09-2Draising-2Dthe-2Dbar-2Dfor-2Dsoftware-2Dsecurity-2Dgithub-2D2fa-2Dbegins-2Dmarch-2D13&d=DwIFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=G-ckhWzt5TmeWP6wWnYNUZMgX5rYSTDBxD833ojg7sk&e= >,
we only included users who had published an app, Action, or Package.
Starting next week, we'll ask users who have published a release of a
repository or manage critical repositories to also enable 2FA.
Why do these users have to enable 2FA?

These users have taken an action on GitHub.com which now requires 2FA.

Users in this enrollment group have created a release
<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.github.com_en_repositories_releasing-2Dprojects-2Don-2Dgithub_about-2Dreleases&d=DwIFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=w2D8HM2pdA_2eY-K49Q1N3hy8uWC0cru3zA_6EvcREA&e= >
or manage a critical OpenSSF repository
<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ossf_wg-2Dsecuring-2Dcritical-2Dprojects&d=DwIFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=2poPnuaYsNA91fU_lsZINavgQed1B9mxn8OHPTYoOns&e= >. That means, the 90
users in your organization being added to the program have created a
release at least once in the past, or are administrators of an OpenSSF
repository. This release may have been from one of your Organizations, in
another Organization, or in their own personal repositories.

In addition to the new enrollment group, we are enabling daily updates to
the previous enrollment group, which included all accounts that have
published an app, Action or Package. If a user publishes an app, Action, or
Package for the first time, they will be enrolled in the 2FA program the
next day, starting the 45-day enrollment process detailed in our March blog
post
<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.blog_2023-2D03-2D09-2Draising-2Dthe-2Dbar-2Dfor-2Dsoftware-2Dsecurity-2Dgithub-2D2fa-2Dbegins-2Dmarch-2D13_-23reminder-2Dwhat-2Dto-2Dexpect-2Dif-2Dyou-2Dare-2Drequired-2Dto-2Denable-2D2fa&d=DwIFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=PD0KS_QY064bPyPou1E3kMte_pfEy59NZ_jXR18NRFY&e= >.

Will any more of my members need to enable 2FA?

More of your organization's members may take an action that puts them in
this enrollment group or a previous one. At any time, you can review which
users are required to enable 2FA by checking the People tab of your
organization - it now shows users who are required to enable 2FA but have
not yet done so. In the future, we'll continue to expand the set of users
that require 2FA, and we'll reach out again when that occurs.

You should validate if service accounts you manage are in this rollout, by
reviewing their associated email inbox for notifications across the next
month. For help on setting up 2FA for shared service accounts, see "Setting
up 2FA for service accounts"
<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.github.com_organizations_keeping-2Dyour-2Dorganization-2Dsecure_managing-2Dtwo-2Dfactor-2Dauthentication-2Dfor-2Dyour-2Dorganization_managing-2Dbots-2Dand-2Dservice-2Daccounts-2Dwith-2Dtwo-2Dfactor-2Dauthentication&d=DwIFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=jcR0WS-1dFvhTbEFhnxeCzZmYUDuhh3mp6ILspxupow&e= >.

Isn't SAML protection sufficient?

SAML protects your organization data, but it doesn't stop an attacker from
accessing your users' personal accounts. These accounts can be contributors
outside of your organization, and need to be protected as well.

Making the software supply chain more secure is a team effort, and we
couldn't do it without you. Your support of 2FA is an impactful step in
keeping the world's software secure.

Thanks,
The GitHub Security Team





GitHub, Inc. ・88 Colin P Kelly Jr Street ・San Francisco, CA 94107



-- 
Mark M. Ito
markito3 at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/halld-offline/attachments/20230808/7e145183/attachment-0001.html>

More information about the Halld-offline mailing list