Organization policies and 2FA settings
Status: Incubation
2FA = two-factor authentication also referred to as two-step verification.
The work for this feature and the discussion around the spec is tracked here: Organization policies and 2FA settings #5599
- All NuGet package authors who want to enable an additional layer of security for their accounts
- All NuGet package authors who be protected by a more enhanced layer of security for public NuGet.org packages
- All NuGet package authors who wish to publish signed packages.
- All NuGet.org Organization admins who want specific settings/enforcement on members and packages.
Here are the 2FA related requirements: As Noel a NuGet.org user,
- I should be able to enable 2FA to sign in to my account for enhanced security.
- I am required to use 2FA to sign in to my account if I want to manage certificates.
- I should be able to enable 2FA sign-in for all users who wish to manage packages for an Organization I administer. This includes:
-
- Manage certificates for Organization – Add/Remove/Override
-
- Manage API keys scoped to Organization
-
- Upload/update organization packages
Additional Organization policies: As Noel a NuGet.org user, who is an admin of an Organization on NuGet.org,
- I should be able to enforce membership to only my company’s employees - AAD based accounts belonging to the same tenant
- I should be able to require specific metadata for packages uploaded/updated for my Organization (on NuGet.org)
Account users can enable 2FA through a setting (Account settings->Login Account).
- Setting up 2FA for NuGet.org would not require 2FA for other services that use MSA.
- MSA users could set a global two-step verification for their MSA which will enable 2FA for all services including NuGet.org.
- If MSA 2FA setting is enabled, NuGet.org will detect this and auto-enable the NuGet.org 2FA setting.
- If NuGet.org 2FA setting is not enabled, their would always be a warning icon associated with the account (top-right) that will lead users to enable the 2FA setting.
Proposed storyboard:
An organization admin can enforce 2FA for all the members' accounts for enhanced security. Once enabled,
- All the members will receive a notification mail indicating that 2FA requirement.
- Members will have an option in the mail to remove oneself from the Organization and not enable 2FA enforcement.
- The members' account will have the 2FA setting enabled automatically unless the member removes oneself from the org through the link sent in the mail (as mentioned above).
Proposed storyboard:
There are other settings that can be implemented through Organization policies:
- Azure AD authentication based memberships - An organization (on NuGet.org) can enforce that only it's company employees can be its members. This can be implemented if the company has a corresponding tenant registered with Azure AD and uses an email address belonging to the same tenant as the Organization's email address on NuGet.org. NuGet.org will deduce the tenant ID from the provided email address and auto-enable this policy setting. It can be unset by the Org's admins.
- Enforce specific metadata for Org's packages - This policy setting would allow an Org's admin to enforce certain metadata to be present and match the given values specified as part of this setting.
Proposed storyboard:
In order to submit signed packages to NuGet.org, they need to be registered first. A user or an Org's admin can register and manage certificates that he/she intends to use for package signing. For enhanced security for managing certificates on NuGet.org, we would require the user signs in using 2FA to be able to manage certificates in NuGet.org.
Proposed storyboards
Individual accounts:
Organizations:
