Two-factor authentication for the GitHub organization

It’s been suggested that the JMonkeyEngine organization at GitHub should require two-factor authentication. Here’s some information on what that entails:

https://help.github.com/en/github/setting-up-and-managing-organizations-and-teams/requiring-two-factor-authentication-in-your-organization

Currently, our organization has 20 members and 13 owners. 4 of the members and 6 of the owners currently have 2FA logins. Many active contributors have not enabled 2FA for their GitHub logins, including @jayfella, @pspeed, and myself. So clearly we’re not yet ready to require 2FA.

The question is, should we be working toward 2FA as a goal?

One note:
The only thing that doesn’t work with 2FA anymore is using the git command line directly, one needs to create an access token and use that as password.

This is irrelevant because Github is disabling password logins as of July anyway.

1 Like

Grr… I only use command line. :frowning:

That link is bad, but see: https://github-backup.branchable.com/todo/GitHub_deprecated_basic_authentication_using_password/
But using a Token works just the same, you pass it as “password”, iirc.
You can even configure that in your git config file.

I’m confused. Where was “disabling password logins” announced? Are you talking about git or some other command-line tool?

Yes, git command line. Usually you were prompted for your Github Password, but since that is a security problem, they removed that, see the above link for the notice in verbatim.

I got that last time I used the command line to push something.

So as I read it, you have to have a mobile smart phone to do this?

In general yes, not necessairly a smartphone but an SMS able device.
Sometimes you can buy hardware keys as second factor.

I see, so I must now move my accounts to somewhere else.

Means no more wiki editor also.

Wait, I’ve mixed up multiple things.
We are currently evaluating enforcing 2FA. If you cannot do that, you could be the exception or the reason not to do it.

And the other thing is github disables command line password access, Git UIs usually register an Access Token.

For GitHub, the second form of authentication is a code that’s generated by an application on your mobile device or sent as a text message (SMS).

If they require this as of july I am out anyway. So won’t really matter.

I will just move to subversion.

Again, you are mixing things up:
In July you cannot use git clone mitm@github.com/my-private-repo anymore and type your user password, you need a token which you can setup.

2FA is a thing to enforce as organization or not. And if you can’t work with that, you’d be the reason against enforcing 2FA for the organization.

Right, I saw that. Said have to use https, which I do so no problem there.

I don’t do cell phones, including text, on purpose, been there, done that. Life is so much better without it.

You guys don’t have to let the tail wag the dog here, if you want 2fa do it.

I exclusively use the command line… I’d prefer it if that was as trouble-free as possible for as long as possible.

I already used https, though… didn’t even know anything else was an option. So maybe I’m thinking of something different.

Currently can use ssh.

Since I already have it open, here it is.

https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line

You can also use a One-time-Password-generator app, such as lastpass (which has a free tier)

Last time I checked, SSH access worked for any repo that you have “normal” write access to - your personal namespace, and any organizations that you own/have team rights to.

Once the SSH Signature is set up, the only change that needs to be made is to have your remotes use SSH/git protocol (git@github.com:ORG/repo.git) instead of the HTTPS URLs

The last time I checked, the one exception was for third-party repos. Team Members can actually push changes to a branch that is the source of an open Pull Request. Handy if you want to do a little manual cleanup before merging, or the automatic merge tools cannot handle the situation. Only a branch that is the source of an open Pull request can be pushed to in this fashion, and then only if the person who opened the PR did not disable it.

Last time I checked, these third-party branches still had to be pushed to through the HTTPS variant.

It does look, however, that the Tokens for HTTPS are more of “Set Up a Large, random password that is different from the password that is allowed to manage your account” than anything else. They do not seem to need to be regenerated regularly, and are orthagonal to 2FA.

I’m still confused. I regularly use Git CLI commands (such as git push) to manipulate GitHub repos. I get prompted for my password. I never get messages like the one quoted at the URL you provided.

Are you saying this capability has been deprecated? If so, shouldn’t there be an official announcement to that effect on github.com?