[sacm] [ACTION REQUIRED] Your GitHub account, sacm, will soon require 2FA
GitHub <noreply@github.com> Sat, 06 January 2024 01:14 UTC
Return-Path: <noreply@github.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F841C2FEE0C for <sacm@ietfa.amsl.com>; Fri, 5 Jan 2024 17:14:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.829
X-Spam-Level:
X-Spam-Status: No, score=-3.829 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, TVD_PH_SEC=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y9Hw7EtaaA39 for <sacm@ietfa.amsl.com>; Fri, 5 Jan 2024 17:14:44 -0800 (PST)
Received: from out-26.smtp.github.com (out-26.smtp.github.com [192.30.252.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 891B5C31E882 for <sacm@ietf.org>; Fri, 5 Jan 2024 17:14:44 -0800 (PST)
Received: from github.com (hubbernetes-node-d057c35.ash1-iad.github.net [10.56.163.27]) by smtp.github.com (Postfix) with ESMTPA id 9685D6006B3; Fri, 5 Jan 2024 17:14:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2023; t=1704503683; bh=+53fVmuThZeMIQhtjgEQffFCUP6A4Yq9lo9vH7Ck4g8=; h=Date:From:To:Subject:From; b=bGzL8sDHHgslnK07mhABediR3vhFI2oRpHh8iJUwv52QYwNM3O3AS1D53oPdo4AsB aVTeVREVswyWUWjtWSfd9XNKcukqAjvw40kmBb+Fr029q1EOSDdhWDKLUhLpMrkcZZ OVFC8eO2CoQgCRsGJXVWU8Uiupqz4BPLS5IAUsbc=
Date: Fri, 05 Jan 2024 17:14:43 -0800
From: GitHub <noreply@github.com>
To: sacm <sacm@ietf.org>
Message-ID: <6598a983947ff_87d78c69434@lowworker-6f6569974c-xb5m9.mail>
Mime-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Auto-Response-Suppress: All
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/TYvzLMqhky9EvsT3zIIvznsX_JE>
Subject: [sacm] [ACTION REQUIRED] Your GitHub account, sacm, will soon require 2FA
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jan 2024 01:14:48 -0000
Hey sacm!
This is a reminder that https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/" rel="nofollow">we announced that we are requiring users contributing code on GitHub.com to enable two-factor authentication (2FA). You are receiving this notification because your account meets this criteria and will be required to enroll in 2FA by January 18th, 2024 at 00:00 (UTC).
Please see the below FAQ, or learn more about https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication" rel="nofollow">2FA on GitHub Help.
What you need to know about the required 2FA initiative
We are enrolling GitHub users who manage or author code on GitHub. More information about our efforts to make 2FA adoption easy and safe can be found in https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13" rel="nofollow">this blog post. This is a GitHub.com program, and unrelated to any organization or enterprise membership your account may have.
How will this affect my account?
On January 18th, 2024 at 00:00 (UTC) your account will be required to have 2FA for authentication. If you have not yet enrolled by that date, your ability to access GitHub.com will be limited until you finish the enrollment process.
How do I enroll in 2FA?
https://github.com/settings/two_factor_authentication/setup/intro" rel="nofollow">Click here to get started! Prior to January 18th, 2024 at 00:00 (UTC) you can follow the instructions https://docs.github.com/articles/configuring-two-factor-authentication" rel="nofollow">in our documentation to set up 2FA for your account. If you have not yet enrolled in 2FA by January 18th, 2024 at 00:00 (UTC), you will automatically be taken to the 2FA enrollment form the next time you access GitHub.com.
What forms of 2FA can I use?
We want you to have the most seamless experience with 2FA possible, so you can choose one or more of the following options:
- Security key
- GitHub Mobile
- Authenticator application (TOTP)
- Text messages (SMS)
You should set up at least two of these options, to ensure you always have access to your account. Head to https://github.com/settings/security" rel="nofollow">https://github.com/settings/security to enroll more 2FA methods.
I already have 2FA enabled, do I need to do anything?
No, if you already have 2FA enabled before January 18th, 2024 at 00:00 (UTC), you don't need to take any additional actions. After January 18th, 2024 at 00:00 (UTC), you will no longer be able to unenroll from 2FA from your account, but you will be able to change the option you use for authenticating with 2FA. Additionally, you won't see any more banners on GitHub.com, and we won't email you about this anymore.
What happens to my PATs and SSH keys at the deadline?
Your PATs, SSH keys, and applications will all keep working after the deadline, regardless of your 2FA enrollment. PATs in particular are used extensively in important automation, and interruption there can cause outages in critical systems. However, when it is time to sign in to GitHub.com to create a new PAT or manage your account, you'll be required to enable 2FA before you can proceed.
What do I do if I lose my 2FA device?
GitHub strongly encourages the use of multiple second factor options. If you lose all of your second factors, recovery codes are the only way to access your account again. By saving your recovery codes, you'll be able to regain access.
Be sure to enable cloud backup for your authenticator app and save your recovery codes. Many phones and computers can be security keys as well - registering them with GitHub.com gives you additional, highly-secure 2FA methods.
For security reasons, GitHub Support may not be able to restore access to accounts with 2FA enabled if you lose your 2FA credentials and lose access to your account recovery methods.
More information about recovery codes can be found on GitHub Help at https://docs.github.com/articles/recovering-your-account-if-you-lose-your-2fa-credentials" rel="nofollow">https://docs.github.com/articles/recovering-your-account-if-you-lose-your-2fa-credentials
Why is GitHub requiring 2FA?
Ensuring account security is a shared responsibility GitHub takes seriously. Strong authentication and the use of 2FA have been recognized as best practice for many years. We feel that GitHub has a duty to lead this push toward strong authentication as part of protecting the software supply chain.
To see this and other security events for your account, visit https://github.com/settings/security-log" rel="nofollow">your account security audit log.
If you run into problems, please contact support by visiting https://github.com/contact" rel="nofollow">the GitHub support page.
Thanks,
The GitHub Team