Ensure that only secure two‐factor authentication methods are allowed

[emilazy]

I request that @NixOS/org adjust the authentication security settings by ensuring that “Only allow secure two-factor methods” is enabled. This may already be the case, but if not, well… SMS two‐factor is no good. (If you’re going to use an insecure method, you might as well use software TOTP, which is more convenient.)

[mdaniels5757]

As of Jan 2025 (#57), all org owners had only secure 2fa enabled. But I don't think this box was checked; it sounds like this was enforced manually.

[mdaniels5757]

Actually: are you talking about the second checkbox here?:

If so: that seems to apply to all members of the org (including Nixpkgs maintainers). That would be a problem, I think?

[mweinelt]

No, it would be a good choice. This is good security hygiene in general, even for maintainers.

[tomberek]

I recall this being enforced manually for org owners, by inspection. Expanding this to all committers sounds like a reasonable ask; though there will be some amount of disruption. Likely a net positive.

[mweinelt]

I think this should be announced with a deadline (two weeks, not more) and then toggled.

[emilazy]

That sounds reasonable to me. This would only affect use of write access to the NixOS organization, anyway; I doubt there are many committers using SMS two‐factor to begin with. (Not sure if there’s any way to get a list of users that would be impacted?)

[infinisil]

Not sure if there’s any way to get a list of users that would be impacted

From the org admin console I can export the relevant info:

tfa-status.json

Stats:

• 1690 members: Insecure TFA
• 2929 members: Secure TFA
• 1 member (@janhencic): No TFA (how's that even possible..?)

I'll do some testing with the test org to estimate the impact

[infinisil]

This is the email you get:

While it's possible to browse repository code without setting up secure 2FA, access to issues and pull requests is entirely restricted, giving you

Let me know if I should test something else

[mweinelt]

OK, I think that many people warrants a slightly longer transition period. Like 6 weeks for example. The most important thing is that we get started.

[infinisil]

Considering the impact, I'm fine with enabling this if:

• We announce it some weeks in advance as suggested
• We have another org owner be fine with it

If it turns into a controversial issue, I'd want the SC to make the call (our org owner authority requires that)

[winterqt]

+1 from me.

[mdaniels5757]

Does the NixOS org have any outside collaborators with insecure 2FA? My understanding is that they would simply be removed and notified, and org owners would need to add them back once they've enabled. Depending on the number, could be worth some targeted outreach now to reduce the need for manual re-additions later.

[infinisil]

We have only 4 outside collaborators:

• @adekoder: Insecure 2FA, has maintain access to https://github.com/NixOS/nix-security-tracker
• @brenuguim: Secure 2FA, has maintain access to https://github.com/NixOS/patchelf
• @bzzimmy: Insecure 2FA, no special access
• @nrdsp: Secure 2FA, has write access to https://github.com/NixOS/nixos-summer (archived)

[infinisil-test-user-2]

I'd propose announcing it with GitHub's announcement feature:

My proposed message:

After 2026-06-14 all org members must exclusively use secure two-factor authentication. If you're currently allowing insecure SMS authentication, ensure another method is configured, and remove SMS authentication in your settings to avoid disruptions.

Expiration date: None (remove the announcement when the switch is flipped)
Allow users to dismiss the announcement: Yes

I'll set myself a timer to flip the switch after 2026-06-14

Any objections?