As indicated in go/github-org-owners#settings, we require that two-factor authentication (2FA) be mandatory for members and collaborators of an organization. While this is policy for all Googlers registered at go/github, enabling this setting on an organization may affect GitHub users who are not Google employees.
What turning on 2FA means for your organization
If you have members and/or collaborators who do not currently use 2FA on their GitHub account, requiring 2FA on your organization means that these users will lose:
- Commit access to repositories
- Forks of private repositories
- Any administrative access they previously had
During the process of enabling 2FA for your organization, you will be shown the members and outside collaborators who will be affected by this change. You'll then be asked to confirm the change to your settings.
You can manually check if your organization has any users who do not have 2FA
enabled by visiting the following links (and replacing %orgname% with your
organization's name):
https://github.com/orgs/%orgname%/people?&query=two-factor%3Adisabled
https://github.com/orgs/%orgname%/outside-collaborators?query=two-factor%3Adisabled
Once you have 2FA required for your org, users will not be able to accept invitations to become members or outside collaborators of the organization (or repositories on the organization) unless they enable 2FA on their GitHub accounts.
How we monitor
We pull information on each organization approximately once a week. You (the organization administrator) will receive an issuetracker issue if your org has this setting disabled. It will include steps to return your organization to a state of compliance with our policy.
NOTE: If your organization repeatedly falls out of compliance, we will work with you to establish better practices for administering your org.
Robot accounts
For information on how to enable 2FA on robot account, follow these instructions: go/github-docs/robots
Reinstating access
If a member or outside collaborator has their access removed when you turn on 2FA, GitHub provides a mechanism for restoring it easily. If the user enables 2FA within three months of being removed from the org, you can reinstate their same privileges and access within the organization. To do this, GitHub provides the following guides:
Troubleshooting
Once you've required 2FA on your organization, you can keep track of anyone
removed using
GitHub's audit log
and querying for action:org.remove_member and
action:org.remove_outside_collaborator.