Ensure the organization is requiring members to use Multi-Factor Authentication (MFA)

ID

organization_mfa

Severity

low

Family

SCM

Tags

mfa, non-reachable, security, slsa-3, slsa-4, supply-chain

Description

Require members of the organization to use Multi-Factor Authentication (MFA) in addition to a standard username and password when authenticating to the source code management platform.

Security

By default, every user authenticates within the system by password only. If the password of a user is compromised, however, the user account and every repository to which they have access are in danger of data loss, malicious code commits, and data theft.

It is therefore recommended that each user has Multi-Factor Authentication enabled. This adds another layer of protection to ensure the account remains secure even if the user’s password is compromised.

Members without MFA enabled should not contribute to the organization’s projects. They should enable MFA before they can contribute any code.

Mitigation / Fix

Use the built-in setting to set the enforcement of Multi-Factor Authentication for each member of the organization.

GitHub

Go to the organization page, Settings > Security/Authentication security (or https://github.com/organizations/ORGANIZATION/settings/security). In the "Two-factor authentication" section, set the "Require two-factor authentication for everyone in the Xygeni organization" checkbox and click "Save".

When MFA is required, members and outside collaborators who do not have two-factor authentication enabled for their personal account will be removed from the organization.

GitLab

In GitLab.com, groups are the equivalent to organizations. Go to your group’s page, then Settings > General (or https://gitlab.com/groups/GROUP/-/edit) and expand "Permissions and group features" and proceed to section "Two-factor authentication", activate the "All users in this group must set up two-factor authentication" checkbox and click on the "Save Changes" button. This setting cascades to subgroups, which can have their own MFA enforcement setting anyway.

For the Self-managed and GitLab Dedicated offerings, GitLab provides instance-wide enforcement for all users, or for administrators only.

Read Enforce two-factor authentication for the full documentation.

Azure DevOps (ADO)

Authentication in ADO is mediated by Microsoft Entra ID (the replacement for the Azure Active Directory), so MFA is enforced there. Currently there are security defaults to simplify security management, available for organizations registered before October 22, 2019.

Microsoft’s philosophy is that administrator accounts are the only accounts that need extra layers of authentication, so MFA is enforced by default only for administrators. But there are different basic controls that could be enforced:

  • Requiring all users to register for MFA.

  • Requiring administrators to do MFA.

  • Requiring users to do MFA when necessary.

  • Blocking legacy authentication protocols.

  • Protecting privileged activities like access to the Azure portal.

Normally these are enabled using security defaults for the organization. A more fine-grained alternative is to use Conditional Access, create a new policy requiring MFA, and enabling it.

BitBucket

In BitBucket cloud, MFA enforcement is managed at the workspace level.

As a workspace administrator, Go to Workspace settings > Access controls (or https://bitbucket.org/WORKSPACE_NAME/workspace/settings/access_controls), enable the "Require two-step verification", then click the "Update" button. You must have two-step verification enabled in your Atlassian account to enforce MFA for workspace.

Read Enable two-step verification for further details.