<div dir="ltr">FYI...<br><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <b class="gmail_sendername" dir="auto">GitHub</b> <span dir="auto"><<a href="mailto:noreply@github.com">noreply@github.com</a>></span><br>Date: Mon, Jul 31, 2023 at 5:18 PM<br>Subject: Users in your organization will soon be required to enable 2FA<br>To: Mark M. Ito <<a href="mailto:marki@jlab.org">marki@jlab.org</a>><br></div><br><br><u></u>
<div>
<table align="center" width="100%">
<tbody><tr>
<td align="center" valign="top">
<center>
<table border="0" cellspacing="0" cellpadding="0" align="center" width="100%">
<tbody><tr>
<td align="center">
<table>
<tbody>
<tr>
<td height="16" style="font-size:16px;line-height:16px"> </td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" cellpadding="0" align="left" width="100%">
<tbody><tr>
<td>
<img src="https://github.githubassets.com/images/email/global/octocat-logo.png" alt="GitHub" width="32">
<h2>
Users in your organization will soon be required to enable 2FA
</h2>
</td>
</tr>
</tbody></table>
<table>
<tbody>
<tr>
<td height="16" style="font-size:16px;line-height:16px"> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody></table>
<table width="100%">
<tbody><tr>
<td>
<table align="center">
<tbody><tr>
<td>
<table border="0" cellspacing="0" cellpadding="0" align="center" width="100%">
<tbody><tr>
<td align="center">
<table>
<tbody>
<tr>
<td>
<table>
<tbody><tr>
<td>
<p>
Hey markito3!
</p>
<p>
You are receiving this notification because you are the admin of the "JeffersonLab" organization which contains 90 users that meet the updated criteria for the two-factor authentication requirement program. Of these 90 users, 28 already have 2FA enabled. Read on to learn what that means for your users, and how to prepare.
</p>
<p>
<b>This enrollment is not related to your organization settings or account.</b> It is based on the individual actions and privileges of your organization's users on GitHub.com, both within your organization and outside of it.
</p>
<h2>What is GitHub's required 2FA program?</h2>
<p>
GitHub is expanding the 2FA program <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.blog_2022-2D05-2D04-2Dsoftware-2Dsecurity-2Dstarts-2Dwith-2Dthe-2Ddeveloper-2Dsecuring-2Ddeveloper-2Daccounts-2Dwith-2D2fa_&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=3cXtx4crI7loig0AqSDfl6BptiIzMuYsK4smo3sYIL4&e=" target="_blank">announced last year</a>. When we <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.blog_2023-2D03-2D09-2Draising-2Dthe-2Dbar-2Dfor-2Dsoftware-2Dsecurity-2Dgithub-2D2fa-2Dbegins-2Dmarch-2D13&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=G-ckhWzt5TmeWP6wWnYNUZMgX5rYSTDBxD833ojg7sk&e=" target="_blank">launched this program in March</a>, we only included users who had published an app, Action, or Package. Starting next week, we'll ask users who have published a release of a repository or manage critical repositories to also enable 2FA.
</p>
<h2>Why do these users have to enable 2FA?</h2>
<p>These users have taken an action on GitHub.com which now requires 2FA.</p>
<p>
Users in this enrollment group have <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.github.com_en_repositories_releasing-2Dprojects-2Don-2Dgithub_about-2Dreleases&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=w2D8HM2pdA_2eY-K49Q1N3hy8uWC0cru3zA_6EvcREA&e=" target="_blank">created a release</a> or manage a <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ossf_wg-2Dsecuring-2Dcritical-2Dprojects&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=2poPnuaYsNA91fU_lsZINavgQed1B9mxn8OHPTYoOns&e=" target="_blank">critical OpenSSF repository</a>. That means, the 90 users in your organization being added to the program have created a release at least once in the past, or are administrators of an OpenSSF repository. This release may have been from one of your Organizations, in another Organization, or in their own personal repositories.
</p>
<p>
In addition to the new enrollment group, we are enabling daily updates to the previous enrollment group, which included all accounts that have published an app, Action or Package.
If a user publishes an app, Action, or Package for the first time, they will be enrolled in the 2FA program the next day, starting the 45-day enrollment process detailed <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.blog_2023-2D03-2D09-2Draising-2Dthe-2Dbar-2Dfor-2Dsoftware-2Dsecurity-2Dgithub-2D2fa-2Dbegins-2Dmarch-2D13_-23reminder-2Dwhat-2Dto-2Dexpect-2Dif-2Dyou-2Dare-2Drequired-2Dto-2Denable-2D2fa&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=PD0KS_QY064bPyPou1E3kMte_pfEy59NZ_jXR18NRFY&e=" target="_blank">in our March blog post</a>.
</p>
<h2>Will any more of my members need to enable 2FA?</h2>
<p>
More of your organization's members may take an action that puts them in this enrollment group or a previous one. At any time, you can review which users are required to enable 2FA by checking the People tab of your organization - it now shows users who are required to enable 2FA but have not yet done so.
In the future, we'll continue to expand the set of users that require 2FA, and we'll reach out again when that occurs.
</p>
<p>
You should validate if service accounts you manage are in this rollout, by reviewing their associated email inbox for notifications across the next month. For help on setting up 2FA for shared service accounts, see <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.github.com_organizations_keeping-2Dyour-2Dorganization-2Dsecure_managing-2Dtwo-2Dfactor-2Dauthentication-2Dfor-2Dyour-2Dorganization_managing-2Dbots-2Dand-2Dservice-2Daccounts-2Dwith-2Dtwo-2Dfactor-2Dauthentication&d=DwMFaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=s4KRtgoDB5KKiDFAE9d2N-W0ul8wxr8sxj5zMIra-MF7hCIf_Gj3d5ebjAL7EswH&s=jcR0WS-1dFvhTbEFhnxeCzZmYUDuhh3mp6ILspxupow&e=" target="_blank">"Setting up 2FA for service accounts"</a>.
</p>
<h2>Isn't SAML protection sufficient?</h2>
<p>
SAML protects your organization data, but it doesn't stop an attacker from accessing your users' personal accounts. These accounts can be contributors outside of your organization, and need to be protected as well.
</p>
<p>
Making the software supply chain more secure is a team effort, and we couldn't do it without you. Your support of 2FA is an impactful step in keeping the world's software secure.
</p>
<p>
Thanks,<br>
The GitHub Security Team
</p>
</td>
<td></td>
</tr>
</tbody></table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
<table border="0" cellspacing="0" cellpadding="0" align="center" width="100%">
<tbody><tr>
<td align="center">
<table>
<tbody>
<tr>
<td height="16" style="font-size:16px;line-height:16px"> </td>
</tr>
</tbody>
</table>
<table>
<tbody>
<tr>
<td height="16" style="font-size:16px;line-height:16px"> </td>
</tr>
</tbody>
</table>
<p></p>
</td>
</tr>
</tbody></table>
<table border="0" cellspacing="0" cellpadding="0" align="center" width="100%">
<tbody><tr>
<td align="center">
<table>
<tbody>
<tr>
<td height="16" style="font-size:16px;line-height:16px"> </td>
</tr>
</tbody>
</table>
<p>GitHub, Inc. ・88 Colin P Kelly Jr Street ・San Francisco, CA 94107</p>
</td>
</tr>
</tbody></table>
</center>
</td>
</tr>
</tbody></table>
<div style="display:none;white-space:nowrap;font:15px courier;line-height:0"> </div>
</div>
</div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Mark M. Ito<br><a href="mailto:markito3@gmail.com" target="_blank">markito3@gmail.com</a><br><br></div></div></div>