Require MFA group-wide to deploy

[vemv]

Hi again,

a usual recommendation in post-mortem analyses for high-profile incidents in npm, RubyGems, etc is that 2FA should be required.

(I don't have the links for that at hand but that hopefully is an uncontroversial opinion)

While probably requiring MFA for everyone would be a little excessive today, being able to require MFA within a group does sound reasonable.

A simple proposal would be: if a group has MFA required, any members cannot deploy to that group until they activate MFA.

This way we can increase the security in both companies using Clojars, and OSS teams (e.g. cider) which have a great degree of reach.

Cheers - V

[vemv]

An interesting read https://blog.rubygems.org/2022/06/13/making-packages-more-secure.html

[technomancy]

In general I'm in favor of making MFA required, but it would need some more work on the MFA implementation before it would be viable.

Right now you can only have a single MFA device per account, but because people lose/upgrade phones, and currently the only way to move to a new MFA device is to remove the one you currently have, and then add the new one, meaning it's required to have at least a brief period where no MFA is active.

[tobias]

That's a good point @technomancy. If we implement this as @vemv's looser proposal of:

if a group has MFA required, any members cannot deploy to that group until they activate MFA

then it is fine for a user to have a lapse in MFA; they just won't be able to deploy in that period.

[tobias]

I just released a change that lets you require MFA to be on for any user that tries to deploy to a given group. You can manage this on the page for the group when logged in as an admin:

Let me know if you have any issues with it.

[technomancy]

Thanks for adding this! I'll see if we can get this enabled for our group at work.