2FA Enforcement on the Joomla Github Organisations

Password leaks, successful phishing attacks and compromised end user machines are the daily reality in today’s IT security landscape. This means that the “traditional” way of authentication, which is username and password, isn’t secure enough anymore – we need something better.

The solution is quite straightforward: two factor authentication (2FA). This adds an extra layer of security, by requiring something the legit user physically “has”, i.e. a hardware token or a mobile phone. An attacker, who gained access to the username and password will still not be able to log in, because he lacks the physical access to the second factor device.

In order to improve the security of its project’s assets by utilizing 2FA, the Joomla Project will start enforcing two factor authentication for members of its Github organizations (github.com/joomla, github.com/joomla-extensions and github.com/joomla-framework) on March 15th, 2020. This means that any member has until that date to enable 2FA in her/his Github account. If 2FA is not enabled by March 15th, the user will be removed from the GitHub organization.

This does not affect “external” contributors - so if you aren’t a member of the project’s Github organization, you will still be able to use the issue tracker, create pull requests or clone the codebase.

Timeline for the enforcement:

  • February 15th: Publishing this blog post
  • February 15th: First email to all affected organization members
  • March 1st: Second email to all affected organization members
  • March 15th: Enabling the enforcement