{"id":18508541,"url":"https://github.com/ossf/great-mfa-project","last_synced_at":"2025-04-09T03:32:04.307Z","repository":{"id":45241424,"uuid":"411435143","full_name":"ossf/great-mfa-project","owner":"ossf","description":"The Great Multi-Factor Authentication (MFA) Distribution Project of the Open Source Security Foundation (OpenSSF). We work to distribute hardware MFA tokens to critical open source software (OSS) projects.","archived":true,"fork":false,"pushed_at":"2021-12-28T18:06:04.000Z","size":3839,"stargazers_count":54,"open_issues_count":7,"forks_count":14,"subscribers_count":15,"default_branch":"main","last_synced_at":"2025-02-17T02:19:20.219Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security-rationale.md","support":null}},"created_at":"2021-09-28T20:52:41.000Z","updated_at":"2025-01-05T18:16:20.000Z","dependencies_parsed_at":"2022-09-07T04:10:26.391Z","dependency_job_id":null,"html_url":"https://github.com/ossf/great-mfa-project","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fgreat-mfa-project","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fgreat-mfa-project/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fgreat-mfa-project/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fgreat-mfa-project/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/great-mfa-project/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247973837,"owners_count":21026735,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T15:14:42.114Z","updated_at":"2025-04-09T03:32:02.949Z","avatar_url":"https://github.com/ossf.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# The Great MFA Distribution Project\n\nWelcome to the Great MFA Distribution Project\n(`great-mfa-project`).\nThe goal of this project is to:\n\n1. Promote the use of multi-factor authentication (MFA) through out all stages of Open Source Software (OSS) development\n2. Distribute MFA tokens to some developers of critical OSS, and\n3. Provide or point to information to help people *easily* use MFA tokens.\n\nThe OpenSSF is working with Google and GitHub who have generously offered to provide and distribute MFA tokens.\nThank you!\n\nMFA tokens, also called keys or fobs, are hardware devices specifically for authentication.\nThese MFA tokens can be used in many applications in a developer's workflow.  They help provide higher degrees\nof validation for a developer's identity when logging into code repositories or applications, or performing \ncritical tasks such as signing code.\nAttackers generally find it much harder to take over an account authenticated with an MFA token compared to an account authenticated with only a password;\nsee [why we are doing this](#why-we-ard-doing-this) for more information.\n\n## How do I get an MFA token?\n\nIf your open source software (OSS) project has been notified that\nyou're getting a free token from us,\nyou'll receive a Google coupon code or a GitHub validation code.\nHere are step-by-step instructions:\n\n* [How to get a Titan token from Google](getting-titan-token-from-google.md)\n* [How to get a Yubikey token from GitHub](getting-yubikey-token-from-github.md)\n\nIf you contribute to an OSS project and were not contacted during our first round of\ntoken distribution, please reach out to our [Working Group](mailto:openssf-wg-best-practices+owner@lists.openssf.org) for more information.\n\nCurrently the tokens are shipped from the US. They are shipped\ninternationally but that is subject to various limitations. See the\n[invitation.md](./invitation.md) for more information.\n\nThe OpenSSF cares about privacy and does *not* get detailed lists of\nwho gets every token; we only get aggregate values (per-project Google tokens\nand aggregate totals from GitHub).\n\n## How do I use an MFA token?\n\nFor some simple instructions on how to use MFA tokens for common OSS\nsituations see our [Token Usage Guide](guide/token-usage-guide.md).\n\n## How we're doing this\n\nHere is our basic plan:\n* Create a list of about 100 critical open source software (OSS) projects.\n  [Here is the list of critical OSS projects and who will be notifying them from the Great MFA Distribution Project](https://docs.google.com/spreadsheets/d/1sO_tJ_B7_2I-TUx23pnBoIRJIqaOm8yBnKAwqs7DwBw/edit#gid=0).\n  For more information, see the section below on\n  [how this collection of critical OSS projects were selected](#how-were-critical-oss-projects-selected).\n* Develop a set of simple documents on how to use these tokens\n  for common OSS cases. First drafts were done 2021-12-02, but we'll\n  keep refining them.\n* Send an [invitation](./invitation.txt) to each critical OSS project. This will be done by one of the great-mfa-plan notifiers, typically by filing an issue, in 2021-12-02..10. The current Great MFA Distribution Project notifiers, with GitHub/GitLab account names and organizational affiliations, are:\n  - David A. Wheeler (@david-a-wheeler/@david-a-wheeler) (Linux Foundation),\n  - CRob (@SecurityRob) (Intel),\n  - Xavier Rene-Corail (@xcorail) (GitHub),\n  - John Naulty (@jnaulty) (Coinbase),\n  - Jose Palafox (@josepalafox) (GitHub),\n  - Marta Rybczynska (Syslinbit),\n  - Arnaud J Le Hors (@lehors) (IBM),\n  - Glenn ten Cate (@blabla1337) (OWASP),\n  - Georg Kunz (@gkunz) (Ericsson), and\n  - Jory Burson (@jorydotcom) (Linux Foundation).\n* If a project accepts, the notifier will tell a sender (David A. Wheeler or Jory Burson) key information: the project who has accepted, the email address to send private information to, and how the project accepted. The sender will then send the project the coupon codes and validation codes using the [coupon_sending.md](./coupon_sending.md) template. This is 2021-12-03..31.\n* Projects distribute the codes. Receivers use them to get the tokens from\n  the Google Store or GitHub shop. Then the tokens get used!\n* Projects send back some information, that we combine with other data\n  and determine whether or not we've had a positive effect (hopefully we have!).\n\nNote: Organizational affiliations are *only* shown to clarify who we mean.\n\nWe've taken some steps to make sure this does *not* turn into\nthe \"world's best supply chain attack\". See our\n[security rationale](./security-rationale.md).\nWe also want to ensure this isn't just a \"token effort\".\nYou can see the now-obsolete draft document\n[*The Great MFA Distribution Plan*](https://docs.google.com/document/d/1Hhg4KcLCzEdd9ZcbdEviN0TIUTLyWDsIdF6B_hY3Xv0/edit) if you want to see more detail.\n\n\n## Why are we doing this?\n\nWhy do this? Our goal is to prevent supply chain attacks involving\nweak or compromised credentials of developers of open source software.\n\nOver the last several years Open Source Software has become critical upstream components \nof many aspects of software and applications that are used the world-over.  Along with this\nincrease in use, so has the potential for malicious actors to exploit the amazing work OSS\ncommunities develop each day.  \n\nThe\n[\"Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attack\" by Ohm et al](https://arxiv.org/abs/2005.09535)\nnoted that this is one way to subvert OSS, e.g.,\nits source code (in a forge) or its package (in a package repository).\nHere are examples:\n\n* coa and rc - [\"Malware found in coa and rc, two npm packages with 23M weekly downloads\", 2021-11-05](https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/)\n* UA-Parser-JS library;  - [\"Popular NPM package UA-Parser-JS poisoned with cryptomining, password-stealing malware\", Adam Bannister, 2021-10-25](https://portswigger.net/daily-swig/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware)\n* Homebrew - [Holmes, E.: \"How i gained commit access to homebrew in 30 minutes\", 2018](https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab)\n* Gentoo Linux - [Khandelwal, S. \"Password-guessing was used to hack gentoo linux github account\", 2017]( https://thehackernews.com/2018/07/github-hacking-gentoo-linux.html)\n\nMFA tokens don't counter all attacks (such as typosquatting). Also the hardware tokens should not be left unguarded in untrusted spaces as there are known [side-channel attacks](https://www.zdnet.com/article/new-side-channel-attack-can-recover-encryption-keys-from-google-titan-security-keys/) existing against hardware tokens. \nStill, by using tools such as Multi-factor Authentication, the likelihood that bad actors will be able to violate the integrity of that open source supply chain is greatly reduced.\n\nThis will increase the level of security and protection for your project immensely, but use your common sense. \n\n## Why not use an authentication app instead?\n\nAn authentication app (such as Authy) running on a mobile phone\nis often stronger against attack than a simple password. So if you're using\none, that's great!\n\nHowever, hardware tokens are stronger still against attack.\nAuthentication apps are easier to \"take over\" than a hardware token\nbecause the underlying system (the phone/computer hardware and\nits operating system) is shared with other apps.\nThose other apps may have unintentional vulnerabilities or\nembedded malicious code that can be used to\nsteal the keys underlying the authentication app.\nIn contrast, hardware tokens\nare single-purpose so far fewer attacks work against them.\n\n## How were critical OSS projects selected?\n\nFor our purposes, a critical OSS project is an OSS project that can have\nan especially large impact if it has a significant unintentional vulnerability,\nor if it is subverted in either its source repository or\ndistribution package(s).\nThere are literally millions of open source software (OSS) projects today,\nmaking it difficult to create a focused list of \"critical OSS projects\".\n\nThe list of critical OSS projects was developed for the Great MFA Distribution\nProject by the\n[OpenSSF Securing Critical Projects Working Group (WG)](https://github.com/ossf/wg-securing-critical-projects).\nThis OpenSSF working group has been *specifically* working on this problem!\n\nThere are many ways to identify \"critical\" projects, so the\nSecuring Critical Projects WG combined the results of several different\nanalyses (the analyses are also called \"Selection Criteria\"),\nThe WG then used human group review of this combined set of top candidates\nto create a final defensible list. The analyses (\"selection criteria\") for\nidentifying candidate critical OSS projects included:\n\n* [OpenSSF Criticality Score](https://github.com/ossf/criticality_score): A top OpenSSF criticality score value. This metric prefers projects that are extremely active on specific forges. Such projects are likely to be important (at least to the participants). However, this is not a perfect measure; some projects will score low here and yet be very critical. Also, it currently only considers GitHub-hosted projects. As of 2021-11-23 the projects with the top scores are node, kubernetes, rust, and spark.\n* [Census Program II](https://www.coreinfrastructure.org/programs/census-program-ii/): Harvard preliminary analysis, uses SCA \u0026 dependency data. This tends to emphasize lower-level libraries that are depended on, transitively, by many.\n* OSTIF Managed Audit Program: Programs OSTIF has recommended for audit. These were selected earlier from research sources, focusing on securing the most critical projects. You can see the [OSTIF Managed Audit Program (MAP25)](https://docs.google.com/spreadsheets/d/1oytKuD7UCX6nDXWQMr6ZgYYgap_SH_JVBof5gNrgSxo/edit#gid=0)\n* [Top Google Project](https://opensource.google/projects/list/featured):\tFeatured on Google Open Source page and widely adopted.\n* [Top Microsoft Project](https://opensource.microsoft.com/projects/): Featured on Microsoft Open Source page and widely adopted.\n* [Top Linux Foundation Project](https://www.linuxfoundation.org/projects/): \tFeatured on Linux Foundation Project page and related to supply chains.\n*  Secure Supply Chain Tool: Directly related to supply chain security (identified by WG)\n* Survey Response: [Response to public survey](https://forms.gle/19PKPS17zkL5fTFUA)\n* Language implementation: Identified by community as a widely-used language implementation\n* Community Addition: Separately identified by the community as important.\n* Previously subverted: If software has been previously attacked \u0026 it made headlines, it must be critical enough to attack.\n\nEvery method for identify critical OSS projects has its strengths and\nweaknesses; we believe the combination of analysis combined with human review\nis better than trying to do any one of them.\nFor example, high criticality score tends to emphasize very busy projects;\nhuman review can remove projects that are busy but for whatever reason\nare less critical.\nSome projects are very important yet not active; by using other measures\n(not just the OpenSSF criticality score) we can still identify them.\n\nWe have no doubt that other OSS projects will be added to the\ncritical OSS projects list over time. If you're interested in helping\nto do that, please join the Securing Critical Projects WG.\n\n[Here is the list of critical OSS projects and who will be notifying them from the Great MFA Distribution Project](https://docs.google.com/spreadsheets/d/1sO_tJ_B7_2I-TUx23pnBoIRJIqaOm8yBnKAwqs7DwBw/edit#gid=0).\nthat this list of projects is the same as the list of\n  [critical OSS projects identified by the critical projects WG by 2021-12-02](https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=0). We're currently using the version as of\n2021-12-02, because the Google coupon codes expire on 2021-12-31.\nEven if they didn't expire, though, we think it's wiser to quickly get tokens\nwe have available to critical projects.\nThe sooner the tokens start getting used by developers, the sooner we\ncounter some attacks on critical projects.\n\n## Background information\n\nSome will refer to these as \"two-factor authentication\" (2FA) tokens,\nhowever, for various reasons we're using the term \"MFA\" instead.\n\nThe Great MFA Distribution Project is a project of the Linux Foundation's\n[Open Source Security Foundation (OpenSSF)](https://openssf.org/)\nwithin its\n[Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers).\nDiscussions are held within that working group's\nmailing list and online meetings.\n\nAll documents, including any improvements, are released under the\n[Creative Commons Attribution (CC BY) license](https://creativecommons.org/licenses/by/4.0/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fgreat-mfa-project","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fgreat-mfa-project","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fgreat-mfa-project/lists"}