зеркало из https://github.com/github/docs.git
2023 Mandatory 2FA rollout for GitHub.com contributors (#35436)
Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>
This commit is contained in:
Sarita Iyer
GitHub
Родитель
0bd4d17f29
Коммит
c778f6b53d
|
|
@ -30,6 +30,10 @@ You can enforce policies to control the security settings for organizations owne
|
|||
|
||||
## Requiring two-factor authentication for organizations in your enterprise
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes%}If {% data variables.location.product_location %} uses LDAP or built-in authentication, enterprise{% else %}Enterprise{% endif %} owners can require that organization members, billing managers, and outside collaborators in all organizations owned by an enterprise use two-factor authentication to secure their user accounts.
|
||||
|
||||
Before you can require 2FA for all organizations owned by your enterprise, you must enable two-factor authentication for your own account. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)."
|
||||
|
|
@ -46,6 +50,16 @@ Before you can require 2FA for all organizations owned by your enterprise, you m
|
|||
|
||||
Before you require use of two-factor authentication, we recommend notifying organization members, outside collaborators, and billing managers and asking them to set up 2FA for their accounts. Organization owners can see if members and outside collaborators already use 2FA on each organization's People page. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/viewing-whether-users-in-your-organization-have-2fa-enabled)."
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: Some of the users in your organizations may have been selected for mandatory two-factor authentication enrollment by {% data variables.product.prodname_dotcom_the_website %}, but it has no impact on how you enable the 2FA requirement for the organizations in your enterprise. If you enable the 2FA requirement for organizations in your enterprise, all users without 2FA currently enabled will be removed from the organizations, including those that are required to enable it by {% data variables.product.prodname_dotcom_the_website %}.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
{% data reusables.enterprise-accounts.security-tab %}
|
||||
|
|
|
|||
|
|
@ -45,6 +45,10 @@ You can authenticate to {% data variables.product.product_name %} in your browse
|
|||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
|
||||
{% endif %}
|
||||
|
||||
- **Username and password only**
|
||||
- You'll create a password when you create your account on {% data variables.product.product_name %}. We recommend that you use a password manager to generate a random and unique password. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-strong-password)."{% ifversion fpt or ghec %}
|
||||
- If you have not enabled 2FA, {% data variables.product.product_name %} will ask for additional verification when you first sign in from an unrecognized device, such as a new browser profile, a browser where the cookies have been deleted, or a new computer.
|
||||
|
|
|
|||
|
|
@ -13,6 +13,11 @@ topics:
|
|||
- 2FA
|
||||
shortTitle: About 2FA
|
||||
---
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
|
||||
{% endif %}
|
||||
|
||||
For {% data variables.product.product_name %}, the second form of authentication is a code that's generated by an application on your mobile device{% ifversion fpt or ghec %} or sent as a text message (SMS){% endif %}. After you enable 2FA, {% data variables.product.product_name %} generates an authentication code any time someone attempts to sign into your account on {% data variables.location.product_location %}. The only way someone can sign into your account is if they know both your password and have access to the authentication code on your phone.
|
||||
|
||||
{% data reusables.two_fa.after-2fa-add-security-key %}
|
||||
|
|
|
|||
|
|
@ -16,9 +16,14 @@ topics:
|
|||
- 2FA
|
||||
shortTitle: Configure 2FA
|
||||
---
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
|
||||
{% endif %}
|
||||
|
||||
You can configure two-factor authentication (2FA) using a mobile app{% ifversion fpt or ghec %} or via text message{% endif %}. You can also add a security key.
|
||||
|
||||
We strongly recommend using a time-based one-time password (TOTP) application to configure 2FA.{% ifversion fpt or ghec %} TOTP applications are more reliable than SMS, especially for locations outside the United States.{% endif %} Many TOTP apps support the secure backup of your authentication codes in the cloud and can be restored if you lose access to your device.
|
||||
We strongly recommend using a time-based one-time password (TOTP) application to configure 2FA{% ifversion fpt or ghec %}, and security keys as backup methods instead of SMS. TOTP applications are more reliable than SMS, especially for locations outside the United States{% endif %}. Many TOTP apps support the secure backup of your authentication codes in the cloud and can be restored if you lose access to your device.
|
||||
|
||||
{% ifversion 2fa-check-up-period %}
|
||||
|
||||
|
|
@ -94,7 +99,7 @@ Before using this method, be sure that you can receive text messages. Carrier ra
|
|||
|
||||
{% warning %}
|
||||
|
||||
**Warning:** We **strongly recommend** using a TOTP application for two-factor authentication instead of SMS. {% data variables.product.product_name %} doesn't support sending SMS messages to phones in every country. Before configuring authentication via text message, review the list of countries where {% data variables.product.product_name %} supports authentication via SMS. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/countries-where-sms-authentication-is-supported)".
|
||||
**Warning:** We **strongly recommend** using a TOTP application for two-factor authentication instead of SMS, and security keys as backup methods instead of SMS. {% data variables.product.product_name %} doesn't support sending SMS messages to phones in every country. Before configuring authentication via text message, review the list of countries where {% data variables.product.product_name %} supports authentication via SMS. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/countries-where-sms-authentication-is-supported)".
|
||||
|
||||
{% endwarning %}
|
||||
|
||||
|
|
@ -113,12 +118,12 @@ Before using this method, be sure that you can receive text messages. Carrier ra
|
|||
|
||||
{% data reusables.two_fa.after-2fa-add-security-key %}
|
||||
|
||||
On most devices and browsers, you can use a physical security key over USB or NFC. Some browsers can use the fingerprint reader, facial recognition, or password/PIN on your device as a security key.
|
||||
On most devices and browsers, you can use a physical security key over USB or NFC. Most browsers can use the fingerprint reader, facial recognition, or password/PIN on your device as a security key as well.
|
||||
|
||||
Authentication with a security key is *secondary* to authentication with a TOTP application{% ifversion fpt or ghec %} or a text message{% endif %}. If you lose your security key, you'll still be able to use your phone's code to sign in.
|
||||
Registering a security key for your account is available after enabling 2FA with a TOTP application{% ifversion fpt or ghec %} or a text message{% endif %}. If you lose your security key, you'll still be able to use your phone's code to sign in.
|
||||
|
||||
1. You must have already configured 2FA via a TOTP mobile app{% ifversion fpt or ghec %} or via SMS{% endif %}.
|
||||
1. Ensure that you have a WebAuthn compatible security key inserted into your computer.
|
||||
1. Ensure that you have a WebAuthn compatible security key inserted into your device, or that your device has a built-in authenticator such as Windows Hello, Face ID, or Touch ID. Most computers, phones, and tablets support this as an easier-to-use alternative to physical security keys.
|
||||
{% data reusables.user-settings.access_settings %}
|
||||
{% data reusables.user-settings.security %}
|
||||
1. Next to "Security keys", click **Add**.
|
||||
|
|
@ -126,7 +131,7 @@ Authentication with a security key is *secondary* to authentication with a TOTP
|
|||
|
||||
1. Under "Security keys", click **Register new security key**.
|
||||
1. Type a nickname for the security key, then click **Add**.
|
||||
1. Following your security key's documentation, activate your security key.
|
||||
1. Following your security key's documentation, activate your security key. If using an authenticator that's built into your device, follow the activation instructions from your operating system. You may need to select options such as `Face`, `PIN`, or `built-in sensor` to access your device's authenticator, depending on your operating system and browser.
|
||||
1. Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods#downloading-your-two-factor-authentication-recovery-codes)."
|
||||
{% ifversion ghes < 3.9 %}{% data reusables.two_fa.test_2fa_immediately %}{% endif %}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,8 +13,17 @@ topics:
|
|||
- 2FA
|
||||
shortTitle: Disable 2FA
|
||||
---
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
|
||||
{% endif %}
|
||||
|
||||
We strongly recommend using two-factor authentication to secure your account. If you need to disable 2FA, we recommend re-enabling it as soon as possible.
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
If you are part of the group that {% data variables.product.prodname_dotcom %} is requiring to enroll in 2FA in 2023, you cannot disable 2FA. A banner will display in your authentication settings to remind you that you are not allowed to disable 2FA. For more information about our 2023 2FA enrollment rollout for contributors to {% data variables.product.prodname_dotcom_the_website %}, see [this blog post](https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13).
|
||||
{% endif %}
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning:** If you're a member{% ifversion fpt or ghec %}, billing manager,{% endif %} or outside collaborator to a public repository of an organization that requires two-factor authentication and you disable 2FA, you'll be automatically removed from the organization, and you'll lose your access to their repositories. To regain access to the organization, re-enable two-factor authentication and contact an organization owner.
|
||||
|
|
|
|||
|
|
@ -23,3 +23,7 @@ children:
|
|||
- /disabling-two-factor-authentication-for-your-personal-account
|
||||
shortTitle: Secure your account with 2FA
|
||||
---
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
|
||||
{% endif %}
|
||||
|
|
@ -48,8 +48,20 @@ For more information about the authentication methods available for {% data vari
|
|||
|
||||
## Configure two-factor authentication
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
|
||||
{% endif %}
|
||||
|
||||
The best way to improve the security of {% ifversion fpt %}your personal account{% elsif ghes %}your personal account or {% data variables.location.product_location %}{% elsif ghec %}your accounts{% elsif ghae %}your enterprise on {% data variables.product.product_name %}{% endif %} is to configure two-factor authentication (2FA){% ifversion ghae %} on your SAML identity provider (IdP){% endif %}. Passwords by themselves can be compromised by being guessable, by being reused on another site that's been compromised, or by social engineering, like phishing. 2FA makes it much more difficult for your accounts to be compromised, even if an attacker has your password.
|
||||
|
||||
As a best practice, to ensure both security and reliable access to your account, you should always have at least two second-factor credentials registered on your account. Extra credentials ensures that even if you lose access to one credential, you won't be locked out of your account.{% ifversion fpt or ghec %}
|
||||
|
||||
Additionally, you should prefer security keys and authenticator apps (called TOTP apps) over use of SMS whenever possible. SMS-based 2FA does not provide the same level of protection as TOTP apps or security keys, and it is no longer recommended under the [NIST 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) digital identity guidelines.
|
||||
|
||||
{% endif %}{% ifversion mandatory-2fa-dotcom-contributors %}{% ifversion ghec %}
|
||||
If service accounts in your organization have been selected for 2FA enrollment by {% data variables.product.prodname_dotcom %}, their tokens and keys will continue to work after the deadline without interruption. Only access to {% data variables.product.prodname_dotcom %} through the website UI will be blocked until the account has enabled 2FA. We recommend setting up TOTP as the second factor for service accounts, and storing the TOTP secret exposed during setup in your company's shared password manager, with access to the secrets controlled through SSO.
|
||||
{% endif %}{% endif %}
|
||||
|
||||
{% ifversion not ghae %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
|
|
@ -62,6 +74,8 @@ If you're the site administrator for {% data variables.location.product_location
|
|||
|
||||
If you're an organization owner, then you {% ifversion fpt %}can{% else %}may be able to{% endif %} require that all members of the organization enable 2FA.
|
||||
|
||||
To learn more about enabling 2FA on your own account, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)." To learn more about requiring 2FA in your organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization)."
|
||||
|
||||
{% ifversion ghec or ghes %}
|
||||
|
||||
### Configure your enterprise account
|
||||
|
|
|
|||
|
|
@ -15,6 +15,10 @@ topics:
|
|||
shortTitle: Require 2FA
|
||||
---
|
||||
|
||||
{% ifversion mandatory-2fa-dotcom-contributors %}
|
||||
{% data reusables.two_fa.mandatory-2fa-contributors-2023 %}
|
||||
{% endif %}
|
||||
|
||||
## About two-factor authentication for organizations
|
||||
|
||||
{% data reusables.two_fa.about-2fa %} You can require all {% ifversion fpt or ghec %}members, outside collaborators, and billing managers{% else %}members and outside collaborators{% endif %} in your organization to enable two-factor authentication on {% data variables.product.product_name %}. For more information about two-factor authentication, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)."
|
||||
|
|
@ -23,6 +27,12 @@ shortTitle: Require 2FA
|
|||
|
||||
You can also require two-factor authentication for organizations in an enterprise. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: Some of the users in your organization may have been selected for mandatory two-factor authentication enrollment by {% data variables.product.prodname_dotcom_the_website %}, but it has no impact on how you enable the 2FA requirement for your organization. If you enable the 2FA requirement in your organization, all users without 2FA currently enabled will be removed from your organization, including those that are required to enable it by {% data variables.product.prodname_dotcom_the_website %}.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% warning %}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
# Reference: #8971
|
||||
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
{% note %}
|
||||
|
||||
**Note:** Starting in March 2023 and through the end of 2023, {% data variables.product.prodname_dotcom %} will gradually begin to require all users who contribute code on {% data variables.product.prodname_dotcom_the_website %} to enable one or more forms of two-factor authentication (2FA). If you are in an eligible group, you will receive a notification email when that group is selected for enrollment, marking the beginning of a 45-day 2FA enrollment period, and you will see banners asking you to enroll in 2FA on {% data variables.product.prodname_dotcom_the_website %}. If you don't receive a notification, then you are not part of a group required to enable 2FA, though we strongly recommend it.
|
||||
|
||||
For more information about the 2FA enrollment rollout, see [this blog post](https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13).
|
||||
|
||||
{% endnote %}
|
||||
Загрузка…
Ссылка в новой задаче