GitHub/Converting to a "2FA required policy"

Requiring 2FA is an easy way to improve the security of your organization. And, it is also good for your contributors. Everyone benefits from utilizing 2FA. (There are a few cases where 2FA may not be practical for all contributors. Please reach out if you believe you have such a case.) In addition, requiring 2FA is a requirement for Mozilla managed GitHub organizations.

GitHub provides good instructions on enabling 2FA for your organization, including discussion of the impact it will have on current contributors. Here are some things to highlight:

• Do check to see who will be removed from the organization if you enable 2FA.
• Do remember that any automation set up by a non-2FA login will also be disabled when they are removed from the organization.
• Set up a private team to communicate with organization members who do not have 2FA, as you may not have emails for them. (Private, so you don’t advertise their accounts do not have 2FA enabled.)
• Do give your non-2FA contributors a reasonable amount of time to enable 2FA.

When you are ready to require 2FA for your organization:

• If you can, notify everyone of the upcoming change, and give the date.
  • Include the link to setting up 2FA on a user account instructions to assist individuals.
• Let folks know that some automation might break.
• Change your organization settings to require 2FA.
• Embrace the future!

If you do have questions or concerns, please chat with us in the GitHub-Admin channel on Matrix.