You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The notorious ESLint compromise was attributed to password reuse. Currently crates.io does not protect from password reuse in any way.
Describe the solution you'd like
crates.io should require two-factor authentication to be enabled in the Github account in order to log in to crates.io.
While there seems to be no way to ask Github to perform 2FA, it is possible to query whether the user has 2FA enabled and refuse login attempts from people who do not have 2FA enabled. This is sufficient to protect from password reuse.
Describe alternatives you've considered
It would be nice to ask Github to perform 2FA when logging in to crates.io because that would also protect from Github cookie theft, but that doesn't appear to be possible - I could not find any Github API endpoints to do so.
Additional context
Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the ua-parser-js being the most widely used.
See also: #4196, #4197 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.
The text was updated successfully, but these errors were encountered:
Shnatsel
changed the title
Require 2FA on login to protect against password reuse
Require 2FA to be enabled on Github to protect against password reuse
Nov 21, 2021
Uh oh!
There was an error while loading. Please reload this page.
Is your feature request related to a problem? Please describe.
The notorious ESLint compromise was attributed to password reuse. Currently crates.io does not protect from password reuse in any way.
Describe the solution you'd like
crates.io should require two-factor authentication to be enabled in the Github account in order to log in to crates.io.
While there seems to be no way to ask Github to perform 2FA, it is possible to query whether the user has 2FA enabled and refuse login attempts from people who do not have 2FA enabled. This is sufficient to protect from password reuse.
Describe alternatives you've considered
It would be nice to ask Github to perform 2FA when logging in to crates.io because that would also protect from Github cookie theft, but that doesn't appear to be possible - I could not find any Github API endpoints to do so.
Additional context
Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the
ua-parser-js
being the most widely used.See also: #4196, #4197 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.
The text was updated successfully, but these errors were encountered: