Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Require 2FA to be enabled on Github to protect against password reuse #4195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Shnatsel opened this issue Nov 21, 2021 · 0 comments
Closed

Comments

@Shnatsel
Copy link
Member

Shnatsel commented Nov 21, 2021

Is your feature request related to a problem? Please describe.

The notorious ESLint compromise was attributed to password reuse. Currently crates.io does not protect from password reuse in any way.

Describe the solution you'd like

crates.io should require two-factor authentication to be enabled in the Github account in order to log in to crates.io.

While there seems to be no way to ask Github to perform 2FA, it is possible to query whether the user has 2FA enabled and refuse login attempts from people who do not have 2FA enabled. This is sufficient to protect from password reuse.

Describe alternatives you've considered

It would be nice to ask Github to perform 2FA when logging in to crates.io because that would also protect from Github cookie theft, but that doesn't appear to be possible - I could not find any Github API endpoints to do so.

Additional context

Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the ua-parser-js being the most widely used.

See also: #4196, #4197 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.

@Shnatsel Shnatsel changed the title Require 2FA on login to protect against password reuse Require 2FA to be enabled on Github to protect against password reuse Nov 21, 2021
@rust-lang rust-lang locked and limited conversation to collaborators Nov 21, 2021
@Turbo87 Turbo87 closed this as completed Nov 21, 2021

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants