Require Physical 2fa for Build WG & Web Infra members

[flakey5]

Members of the Build WG & @nodejs/web-infra have access to sensitive resources. Despite this however, there aren't any actual requirements for 2fa to be enabled on a member's accounts afaik.

I think there should be a requirement for members to have some form of physical 2fa (i.e. yubikey) connected to their GitHub and other relevant accounts.

@nodejs/web-infra is relevant here since, even though members aren't under the Build WG governance, they still follow the Build WG contributor guidelines as per the website's governance doc.

I don't have an answer as to who's going to be paying for the keys however

[jasnell]

Everyone in the Node.js GitHub org is, as far as I can remember, required to have general 2fa enabled on their accounts. Physical keys would be a good additional layer for folks on the build/infra/release teams. The foundation can likely be asked to pay for the keys. /cc @mcollina

[MattIPv4]

+1 to requiring physical hardware for authentication -- I have YubiKeys on my GH account. I wish GH had a way at the org level to require that 2FA on accounts is a physical factor, and can't be bypassed with another factor like GH mobile (it always gives me this option for sudo mode which scares me).

[ovflowd]

+1 for Web Infra. We should also require 2fa (Physical) on 1Password which has access to Vercel and Sentry and our GitHub bot accounts.

[mcollina]

Despite this however, there aren't any actual requirements for 2fa to be enabled on a member's accounts afaik.

I think this should be a requirement.

I don't think there is money available to massively buy yubykeys for everyone, but it really depends on the volume.

[jasnell]

... massively buy yubikeys for everyone...

We don't need them for everyone... just for the build, build-infra, web-infra, and release teams I would imagine. That would be about 25 keys, which should come to just under about $2k.

[richardlau]

While requiring a physical key would increase security, I also think it would discourage volunteering. I have a physical Yubikey that I'm not using because it looks like it's not so straightforward to get it working under WSL.

[ovflowd]

I think we should have a flexible requirement either have a Passkey or a Yubikey. Passkeys are already more secure and usually tied to Devicesd (iOS Phones, Windows computers, Android phones can serve as a Passkey)

[targos]

Passkeys can also be emulated by password managers. In that case they are not tied to physical devices.

[UlisesGascon]

I believe that using 2FA is essential at this stage and should be considered non-negotiable. That said, we can recommend passkeys or physical security keys as preferred 2FA methods, and we should be able to provide a physical key to any volunteer from those teams who requests one. This approach helps us maintain strong security practices without discouraging contributors or forcing specific setups or environments.

Personally, I use YubiKeys, although they can sometimes be tricky to use, especially in virtual machines. It might be helpful to point volunteers to a guide that outlines the best available 2FA options and explains why we prefer certain methods, such as passkeys or security keys, over others like SMS-based 2FA.

[ovflowd]

I think code-based 2FA, SMS-based or anything tied to something that could be compromised without a hardware in-person devioce should be no go. That's why I said Android Phones/iPhones;Windows Computers can act as Physical Security Keys (these are features built-in in these devices) if we want to avoid costs of Yubikeys (I have 4 Yubikeys tho)

[mhdawson]

From the discussion in the build WG today we are wondering if there are any Open Source projects who already required physical 2FA for some of the collaborators. If so can you let us know who they are as maybe we can reach out to them to see what their experience has been.

[iuuukhueeee]

@mhdawson I've found a blog and an open source project that enforced 2FA.

• https://ropensci.org/blog/2022/05/16/requiring-2fa-for-the-ropensci-github-organization/
• https://github.com/ossf/great-mfa-project

[MattIPv4]

• https://github.com/ossf/great-mfa-project

Heh looks like Node.js was meant to be part of that: nodejs/node#41126