Enable the ability to see which team members have two-step verification (BB-14641)

Issue #11711 wontfix
Daniel Bennett
staff created an issue

When running a team it is impossible to actually control contributors accounts, however, knowing that everyone accessing your code has two-step verification enabled is still important. Consider adding a lozenge or marker indicating two-step status for team members.

Comments (9)

  1. Mike Gruen

    An audit report or filter based on two-step being on/off per contributer/team member would be much better than a "lozenge" or other purely visual queue.

  2. Anonymous

    GitHub has this feature, and now that they have introduced fine-grained access control it's looking like a better choice security-wise...

  3. Mike Gruen

    Due to the security concerns raised in related requests, I think that this one should be closed (or de-prioritized) and in favor of the better alternatives #11958 and #11712.

    The concern with this feature is that as an admin, I can invite folks to my team without them "accepting" and then run a report to see which of them has two-factor enabled and then remove them from my team. This could be easily automated. The solution would be that the "joining a team" workflow would have to change and require an invite and an accept step. Locking access repo by repo (#11958) is better and more flexible -- actively blocks access without admins having to do anything after setting up the repo. Reporting is all well and good, but it's a snapshot in time and requires further action and constant monitoring to be effective.

  4. Zachary Davis

    Agreed, I think it's much more likely (and correct) that we'll do one of the two tickets you linked to (should those also be combined, or are they different in some subtle way I'm missing?).

    I'm closing this (ability to "audit" team members' 2fa status) as won't fix in favor of the alternate solution (require 2fa be enabled to access a repository).

  5. Mike Gruen

    No, those tickets should not be combined. I had that discussion with someone from your side already. Those tickets are distinct -- repo level blocking vs team membership blocking. The latter, team membership requirements is more difficult whereas the repo level one should be super simple (says the guy not doing the work).

  6. Mike Gruen

    Oops, I'm not sure what happened (maybe the ticket descriptions changed) but one of those tickets was about team level blocking. Now they do read almost identical. That's annoying as they were distinct issues at one point, I'm pretty sure.

  7. Log in to comment