curl / Mailing Lists / curl-library / Single Mail


Do you 2FA on github?

From: Daniel Stenberg <>
Date: Mon, 21 Aug 2017 10:41:50 +0200 (CEST)

Hi friends!

TLDR: can we make two-factor authentication (2FA) mandatory for curl members
on github?

On github right now we have 24 team members who have push access to the curl
git repository and who show up with "owner" tag when they post comments on
issues or pull-requests.

Yet roughly half of us have not enabled 2FA on github, making these accounts
vulnerable for attackers. If an attacker would manage to compromise a member's
github account, that could be used to send comments in that person's name but
also to change SSH keys and thus push commits to the repositories.

In order to drastically reduce the risk of this, I would like to *require* 2FA
enabled on github for members of the curl organization (and thus those who can
push to git).

Or is there a good and valid reason why some people haven't yet enabled 2FA?

Received on 2017-08-21