Replies: 1 comment
-
|
For anyone who might be be reluctant to support this idea based on privacy concerns, I can confirm that GitHub's 2FA implementation doesn't try to push you to overshare.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Is your feature request related to a problem? Please describe.
The notorious ESLint compromise was attributed to password reuse. Currently crates.io does not protect from password reuse in any way.
Describe the solution you'd like
crates.io should require two-factor authentication to be enabled in the Github account in order to log in to crates.io.
While there seems to be no way to ask Github to perform 2FA, it is possible to query whether the user has 2FA enabled and refuse login attempts from people who do not have 2FA enabled. This is sufficient to protect from password reuse.
Describe alternatives you've considered
It would be nice to ask Github to perform 2FA when logging in to crates.io because that would also protect from Github cookie theft, but that doesn't appear to be possible - I could not find any Github API endpoints to do so.
Additional context
Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the
ua-parser-jsbeing the most widely used.See also: #4196, #4197 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.
Beta Was this translation helpful? Give feedback.
All reactions