Proposal: enforce 2FA requirement for Org members and collaborators

[kbdharun]

Continuing #11918 (comment). (cc @sbrl)

I want to propose enabling two-factor authentication (2FA) at an organisational level for all members and outside collaborators to have better operational security (OPSEC) at tldr. This would prevent unauthorized access to the repositories and clients at Org in case the maintainer's credentials are leaked/their device is compromised.

Since we are a decentralized organization, it is essential to implement basic OPSEC practices like 2FA, private vulnerability reporting, etc. We already have some practices in place, 2FA would be the recent addition to it, GitHub is actively requiring accounts to enable 2FA, so you would want to enable it nonetheless.

The following users don't have 2FA enabled for your account, I would like to request you guys to enable it soon (to prevent being automatically removed when enabling the setting in future).

Org Members: @isaacvicente (Enabled 2FA)
Outside Collaborators:

• @CairnThePerson (Enabled 2FA)
• @Managor (Enabled 2FA)
• @MrMw3 (Enabled 2FA)
• @patricedenis (Enabled 2FA)
• @quantumflo (Enabled 2FA)
• @rubenvereecken requested to be removed from the tldr-pages organisation

---

You can enable two-factor authentication here -> https://github.com/settings/security

---

Reference links/settings

https://github.com/organizations/tldr-pages/settings/security

1. https://github.com/orgs/tldr-pages/outside-collaborators?query=two-factor%3Adisabled
2. https://github.com/orgs/tldr-pages/people?query=two-factor%3Adisabled

[CairnThePerson]

Re-enabled 2FA. Thanks for the notification.

[Managor]

Enabled.

[sbrl]

I definitely support this, as soon as everyone has it enabled. We haven't had a breach (that I know of) yet, but we can never be too careful.

We could consider what to do for people who don't reply on a case-by-case basis e.g. after 1 month.

[patricedenis]

Hi every one.
I haven't got much time to contribute right now but I enabled the functionality to stay with you guys.
Cheers !

[rubenvereecken]

Feel free to drop me :)

[MrMw3]

Enabled.

[kbdharun]

Update: It's been a month and only 2 more people are yet to respond, I will try contacting @isaacvicente and @quantumflo regarding this through other channels, we can enable this setting after a few more days.

Edit (11/03/24): Sent a mail to @quantumflo informing them about this.

[isaacvicente]

I'm sorry, I had some exams in my college this week, so I haven't checked anything from Github. I've enabled 2FA now.

[kbdharun]

We could consider what to do for people who don't reply on a case-by-case basis e.g. after 1 month.

@sbrl only one more person (@quantumflo) is yet to respond (I sent an email and tried contacting them through other means a few days ago but to no avail). IG we can enable this setting (and update MAINTAINERS.md). We can always reinvite them back when they respond in future. What do you think about this?

[MrMw3]

@kbdharun
I agree with you.

[kbdharun]

Almost enabled the setting where I noticed a new name which didn't appear in both the lists (under the query but just normally), no idea why (their 2FA status was marked with a clock so I suspect they recently disabled it). @Geipro (previously @Proscream) can you enable 2FA for your account?

Will wait till this weekend to enable this fully and update the MAINTAINERS.md file.

[kbdharun]

Update: I have enabled the setting now and the 3 collaborators have been removed (will update MAINTAINERS.md to reflect the same and close this issue).