Two-factor authentication required for InsightSoftwareConsortium GitHub Org

matt.mccormick · 2019-02-07 23:10:15 UTC

Hi folks,

The community has been quite active on GitHub, and the project is growing!

To improve our level of security, next week (Friday) I will enable the option on the InsightSoftwareConsortium to require two-factor authentication for everyone in the organization. This means:

Members, billing managers, and outside collaborators who do not have two-factor authentication enabled for their personal account will be removed from the organization and will receive an email notifying them about the change.

Please add two-factor authentication (2FA) to your GitHub account (https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/), which typically means identifying yourself with a code from a cell phone app in addition to your password. It is generally considered good security hygiene .

If you lose access, let us know, and we will invite you back to retain your role, permissions, and settings..

If you have GitHub account and are not already a member of the InsightSoftwareConsortium organization, let us know: we welcome new community members who wish to the contribute to the cause of reproducible research and open science.

phcerdan · 2019-02-12 19:59:32 UTC

Hi, I just enabled the two-factor authentication (2FA) for the first time.

As a note, when using git from a terminal, I was still using https which requests my github username and password. With 2FA this method is not valid anymore (you have to create a Personal Access Token, and use that as password), so it is better, and safer to switch to SSH tokens.

Use the following config to use ssh instead of the default https for your repositories. In the global ~/.gitconfig

# Enforce SSH
[url "ssh://git@github.com/"]
  insteadOf = https://github.com/
[url "ssh://git@gitlab.com/"]
  insteadOf = https://gitlab.com/
[url "ssh://git@bitbucket.org/"]
  insteadOf = https://bitbucket.org/

Also, if you need to remove the authentication cache: git credential-cache exit

seanm · 2019-02-14 01:30:32 UTC

Matt,

And if one is unable or unwilling to enable two-factor authentication on GitHub? Does it mean one cannot be in the ‘organization’? What does that imply? Will one be unable to submit PRs for example?

Thanks,

Sean

bill.lorensen · 2019-02-14 03:21:23 UTC

I use GitHub for a number of projects. Can 2F be configured for just one project,?

matt.mccormick · 2019-02-14 18:23:50 UTC

Yes, pull requests are still a welcome and appreciated way to contribute to the community .

matt.mccormick · 2019-02-14 18:27:43 UTC

The 2FA information is only entered when logging into GitHub on a new computer, when you explicitly sign out of GitHub and sign back in again, or a with a few rare actions, like adding a collaborator.

This identity verification applies to an entire GitHub account as opposed to a project.

2FA is similar to vaccinations; everyone in the community needs to participate in order to keep the whole community healthy / secure.

fedorov · 2019-02-14 19:41:50 UTC

@matt.mccormick could not agree more, but it is more complicated than getting a flu shot, or enabling 2FA for other applications, which many users are familiar with. Enabling 2FA for GitHub requires major changes to how developers work with the git command line tools.

Speaking from my experience, it did thrown me off the tracks when “git push” asked for my password, and it did not work. Only after reading this article I realized I need to enter a personal access token, which I needed to generate, instead of the password. The note “Make sure to copy your new personal access token now. You won’t be able to see it again!” associated with that token made me realize I now need a secure location to keep that long hex string … I next saw the earlier response from @phcerdan, and also found this recipe: https://gist.github.com/ateucher/4634038875263d10fb4817e5ad3d332f, which perhaps could be the solution, but I didn’t test it …

Don’t know about others, but to me, this is a bit overwhelming.

I agree 2FA is the right way to go, and all those complexities can and must be sorted out, but would be most helpful if someone experienced with GitHub 2FA could provide a simple verified step-by-step guide for less experienced users to adapt to this new requirement. Or maybe add a cautionary note, something like “don’t expect to figure this out in 5 minutes” or “don’t do it now if you are in a rush”.

bill.lorensen · 2019-02-14 19:42:31 UTC

OK, I just signed up for 2FA. So far so good.

matt.mccormick · 2019-02-14 19:46:10 UTC

Yes, as @phcerdan mentioned, using ssh clone URLs (note that they can be used with forks, upstream’s too) makes working with GitHub much easier. And, ssh is more secure, regardless.

bill.lorensen · 2019-02-14 19:54:01 UTC

I use LastPass and stored my recovery codes as secure note.

bill.lorensen · 2019-02-14 20:12:39 UTC

Once you authenticate on a device, git should not ask for a special code. I use ssh, perhaps it’s different if you use https access.

seanm · 2019-02-14 21:03:03 UTC

I’m really not keen to give my phone number to Microsoft (aka GitHub).

As long as I can still download the code and submit ‘issues’ and ‘PRs’, I guess you can just remove me from the ‘InsightSoftwareConsortium GitHub Org’.

Sean

matt.mccormick · 2019-02-14 21:16:59 UTC

A phone number is not required, if I recall correctly, and should remain private – 2FA initialization is usually performed by scanning a QR code.

seanm · 2019-02-14 21:32:12 UTC

I don’t see anything about QR codes here:

https://help.github.com/articles/accessing-github-using-two-factor-authentication/

But it certainly talks about smartphones and SMS.

fbudin · 2019-02-14 22:21:13 UTC

You definitely can use an Authenticator App. I do it. If you go in the “Security” section of your Github settings, you can choose to use an app.

seanm · 2019-02-14 23:05:00 UTC

So if one does not have a smartphone and does not want to give one’s phone number to Microsoft (for the SMS option), is there any other choice?

Everything I do with/for ITK I do for my employer. My employer does not provide me with a smartphone (or even a dumbphone).

I have a computer, isn’t that sufficient?

Sean

fbudin · 2019-02-15 18:01:18 UTC

If that helps, hardware security keys are also an option.

imikejackson · 2019-02-16 21:55:12 UTC

Authenticating on the command line using SSH

Enabling 2FA doesn’t change how you authenticate to GitHub on the command line using SSH URLs. For more information about setting up and using an SSH key, see “Connecting to GitHub with SSH.”

Near the bottom of https://help.github.com/articles/accessing-github-using-two-factor-authentication/#authenticating-on-the-command-line-using-ssh Sounds like if you are using ssh public-private keys they you are using 2FA. So nothing should change if you are using ssh to push/pull? I know of only a very few rare cases where a corporate firewall does not let ssh out.

phcerdan · 2019-02-16 22:02:56 UTC

Yes, that’s correct.

I set up the 2FA and then switched to ssh for authentication through the terminal.

fbudin · 2019-02-16 23:06:04 UTC

Yes indeed. Enabling 2FA does not change anything for your push/pull if you are using SSH. The only changes are when you log in on the web.