Profile Applicability:
Level 2
Description:
All users accessing the package registry must authenticate using Multi-Factor Authentication (MFA). MFA requires users to provide two or more verification factors—such as a password plus a one-time code from an authenticator app or hardware token—before gaining access. This adds an additional security layer beyond simple passwords.
Rationale:
Implementing MFA reduces the risk of unauthorized access due to compromised credentials, phishing attacks, or password reuse. It strengthens overall security for the package registry, protecting critical software assets and the software supply chain from malicious actors.
Impact:
Pros:
Significantly improves account security by requiring additional verification.
Helps prevent unauthorized access and potential supply chain attacks.
Supports compliance with security policies and regulatory requirements.
Increases user accountability and traceability.
Cons:
May add slight friction to user login processes.
Requires deployment and management of MFA infrastructure.
Default value:
Some package registries may allow access with only username and password by default, without MFA enforcement.
Audit:
Review user access policies and authentication logs to confirm MFA is enforced for all users. Check for exceptions or bypasses.
Remediation:
Enable MFA in the package registry settings or integrate with identity providers that enforce MFA. Educate users on MFA use and benefits. Regularly review authentication configurations.
References:
GitHub MFA Enforcement: https://docs.github.com/en/account-and-profile/signing-in-to-github/configuring-two-factor-authentication
Nexus Repository MFA Guide: https://help.sonatype.com/repomanager3/security/multi-factor-authentication
CIS Controls v8, Control 6.5 - Multi-Factor Authentication: https://www.cisecurity.org/controls/multi-factor-authentication/