While it makes sense as corporate policy (esp. to people with elevated permissions) and despite I'm a strong advocate for 2FA, I don't think it's reasonable to impose such thing to committers (esp. when we don't provide 2FA for their account @ account.eclipse.org).
I am thinking this is something we should reconsider now that Github will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
Now that we know this is going to be a thing on Github, I could see us implementing this requirement before Github.
Obviously, we would need to give proper notice to our community first but I think we should consider rolling this out before Github decide to enforce this new policy.
Christopher Guindonchanged title from [Bug 560061] Require 2fa for all users with write access to an Eclipse Project repository on Github to [Bug 560061] Require 2fa for all users with write access to an Eclipse Project repository on Github/Gitlab
changed title from [Bug 560061] Require 2fa for all users with write access to an Eclipse Project repository on Github to [Bug 560061] Require 2fa for all users with write access to an Eclipse Project repository on Github/Gitlab
@droy created an issue yesterday about enforcing 2fa on Gitlab. I will revert the title of my issue to focus only on Github and discuss if this is something we want to implement before Github enforces it.
Christopher Guindonchanged title from [Bug 560061] Require 2fa for all users with write access to an Eclipse Project repository on Github/Gitlab to [Bug 560061] Require 2fa for all users with write access to an Eclipse Project repository on Github
changed title from [Bug 560061] Require 2fa for all users with write access to an Eclipse Project repository on Github/Gitlab to [Bug 560061] Require 2fa for all users with write access to an Eclipse Project repository on Github
We are moving towards full 2FA enforcement across all EF-owned GitHub (GH) organizations. Currently, 90% of our organization members have 2FA enabled. Goal is to achieve 100% compliance. GH organizations can be categorized as follows:
Organizations with Mandatory 2FA (33 orgs):
Current Status: All members have 2FA enabled.
Action Required: None.
Organizations Without Mandatory 2FA, But All Members Have 2FA (76 orgs):
Plan: We will be implementing mandatory 2FA at the organizational level.
Communication: A notification will be sent to committers, indicating that from February 2nd, all new members must have 2FA enabled to join. This announcement will be made via the eclipse.org-committers mailing list.
Organizations Without Mandatory 2FA, and Not All Members Have 2FA (65 orgs):
Impact: Enabling 2FA enforcement will result in non-compliant members losing write access until they enable 2FA.
Communication: A deadline of April 30th will be set for mandatory 2FA enforcement. We will communicate this through the eclipse.org-committers mailing list and follow up with project -dev mailing lists as well as individuals for reminders.
Re-invitation: Members who enable 2FA post-enforcement will be re-invited by the sync script to regain their privileges.
Detailed Action Plan:
Jan 15: Announcement email to eclipse.org-committers detailing the 2FA enforcement plan.
Feb 2: Announcement and enablement of 2FA enforcement on orgs with full compliance and reminder of the April 30 deadline for others.
March 4 Feb 28: Reminder email to project-specific -dev mailing lists about the April 30 2FA enforcement deadline.
Each individual member has been contacted directly instead of via the -dev mailing list to enhance dissemination. Additionally, project leads of each project with at least one member lacking 2FA have received an email indicating the number of members without 2FA in their project, aiming to raise awareness.
April 2 April 8: Follow-up reminder to -dev mailing lists.
Reminder has been sent to each individual members + project leads.
April 10, 18, 25: Direct reminders to individual members without 2FA.
April 30: Final implementation of 2FA across all organizations. Announcement to the committers-dev mailing list.
Additional Recommendation:
After February 2nd, enforce 2FA by default in all newly created EF GitHub organizations.
We enforced it a couple of days after that day. But 2FA is now enforced in all GitHub organizations that are a member of the Eclipse Foundation enterprise except for openhwgroup on request of Mikael.
btw. I just found this in the Enterprise Settings:
Might be useful to announce some change in the future as well. So should be only visible to members of the organization if they navigate to a page but would need to be tested.