2 Factor Auth for NuGet.org sign in #3252
Comments
harikmenon
changed the title
|
@shishirx34 , please cost all the tasks in this epic. |
|
Moving to backlog until we get the full story on what needs to be done. |
|
Are there any plans to implement 2-factor auth in the nearest future on nuget.org? |
|
Hi @DixonDs, 2FA is a high priority item on our backlog, and we are working on a spec for this feature. We will share details with the community once it's ready, and will encourage feedback and ideas. |
karann-msft
changed the title
|
Spec link above is 404 |
|
What does this mean for push and nuget keys? |
|
@forki , 2FA has no impact on API keys, and will be used only for login to the Gallery. Regarding the 404, checking and will get back to you. |
|
@forki I have updated the link to the spec. Remember this is still work in progress and I will post on this issue when decent progress in made on this. Please do continue to post your feedback. |
anangaur
changed the title
|
Update: The spec is ready for review |
|
Looking at the spec, it doesn't currently show how to link an existing account to AAD. How is that intended to work? |
|
@onovotny Clicking on the "Sign in with Microsoft" will lead to a login screen that will redirect to an AAD login if the mail id entered is an AAD account. Nothing else changes. Updated the spec with this detail. |
|
What about the case where the AAD and MSA account are the same email address? Will it "just work" in that case? As a concrete example, I have my MSA currently attached to my NuGet account but I would want to add/change that to be the AAD account (which uses the same email address). |
|
Yepp, this is a grey area. My understanding it that this case should already be handled by the MSA/AAD integration where they ask you to choose either MSA or School/Organization account when you have both. When you try this on a Microsoft service, I think you must be getting these options today? At NuGet.org if you use these interchangeably, we will link both MSA and AAD accounts to the NuGet.org account. This does have some implication on the policies like whether we show a 2FA policy or say its managed by AAD admin as the account is linked to both? Note that linking multiple accounts won't be possible in any other scenario (or may be existing ones) except for this specific case. |
|
Maybe semantics, but the spec does not seem to be about 2FA at all (quote: "At NuGet.org, we do not want to build additional 2-FA", as well as "We will not mandate 2-FA usage for all accounts."), but about federated identity and deprecating user registration. Other than that sounds good! (one concern: is this all going to be configuration or will other gallery instances be enforced to use this, too?) |
|
@anangaur will there be a separate spec at some point showing how this integrates with the client? Some sort of Credential Provider integration, perhaps - similar to what we do for VSTS (and MyGet does as well)? |
|
@maartenba We would like to have enhanced security for all the NuGet.org accounts via 2-FA. There are 2 aspects to it:
This should be configuration based so that other gallery instances are not forced to use it. I have updated the spec with this detail. |
Right. This is more like a NuGet.org only feature. Credential provider and related client authentication mechanism would be different feature in future. |
Status: Reviewed
Spec for this feature available here: https://github.com/NuGet/Home/wiki/2-Factor-Auth-for-NuGet.org-sign-in
Discussions should happen on this issue. Please link other issues with similar asks to this one.
The text was updated successfully, but these errors were encountered: