This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Require 2FA to be enabled on Github to protect against password reuse #4195
Comments
This was referenced Nov 21, 2021
Shnatsel
changed the title
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Uh oh!
There was an error while loading. Please reload this page.
Is your feature request related to a problem? Please describe.
The notorious ESLint compromise was attributed to password reuse. Currently crates.io does not protect from password reuse in any way.
Describe the solution you'd like
crates.io should require two-factor authentication to be enabled in the Github account in order to log in to crates.io.
While there seems to be no way to ask Github to perform 2FA, it is possible to query whether the user has 2FA enabled and refuse login attempts from people who do not have 2FA enabled. This is sufficient to protect from password reuse.
Describe alternatives you've considered
It would be nice to ask Github to perform 2FA when logging in to crates.io because that would also protect from Github cookie theft, but that doesn't appear to be possible - I could not find any Github API endpoints to do so.
Additional context
Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the
ua-parser-jsbeing the most widely used.See also: #4196, #4197 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.
The text was updated successfully, but these errors were encountered: