Page MenuHomeDevCentral

Draft a 2FA policy
Open, Needs TriagePublic

Description

During discussion about VMWare ESXi security with @DorianWinty,
Dorian suggested we use 2FA for hypervisor access.

From that, I've checked the use of second factor on DevCentral (a)
and this shows we need to draft a 2FA policy.

Groups with extra privileges

The members of the following groups should enable 2FA:

We can prepare a report to know who to contact about that (b).

Useful queries:

  • (a) SELECT count(*) FROM devcentral_user.user WHERE isEnrolledInMultiFactor = 1;
  • (b) A query on devcentral_user.user and devcentral_project.edge can help
Users who need to enable 2FA
SELECT DISTINCT userName
FROM devcentral_project.edge
    LEFT JOIN devcentral_user.user ON user.phid = edge.dst
WHERE src IN (
        "PHID-PROJ-2gmvzczbipg5amctzsjd", -- Trusted users
        "PHID-PROJ-puoemrjignrbd2eilwpo"  -- Ops
    ) AND type = 13 -- PhabricatorProjectProjectHasMemberEdgeType
    AND isSystemAgent = 0 -- avoid bot accounts like Alken-Orin
    AND isEnrolledInMultiFactor = 0
ORDER BY userName;