Rubygems.org: Improve visibility of 2FA availability
Lots of users don't seem to know/realise that 2FA is available on rubygems.org. We should work on improving the UI and informing users about this.
colby-swandale
All 6 comments
For me personally, I try to look at the main FAQs first every now and then; and admittedly I do not regularly keep up with changes (oddly enough, github issues are often a good way to update one's knowledge).
Perhaps a FAQ or FAQ-like entry could be added onto:
on the left hand side; that FAQ can also help serve as a page for links towards e. g. 2FA.
Not sure where 2FA within the guides should be displayed. Perhaps https://guides.rubygems.org/security/ ?
rubyFeedback
on 12 Jul 2019
This is a really good idea. In addition to the guides, we could possibly:
- print a message suggesting 2FA anytime someone pushes a gem without using 2FA
- show a flash message on the website after you log in announcing that 2FA is now available
- email everyone who has a rubygems.org account to tell them that 2FA is now available and ask them to sign up
indirect
on 13 Jul 2019
In a similar vein, I'd like to be able to audit my co-authors to ensure they have enabled and/or remove them from authorship (but I don't see a way to figure this out). Just let me know if this should be a distinct issues.
geemus
on 20 Aug 2019
Making the MFA / 2FA setting more visible is exactly why I am here. When I wanted to activate it, I first clicked on the "Security" link, then browsed a bit around until I finally found the tiny "Edit Profile" link. I later saw it is also in the top-right drop-down. But "Edit Profile" is not the wording I would expect. Maybe "Edit Settings", but I was actually looking specifically for 2FA and therefore an _authentication_ or _security_ setting.
I'd suggest to add a link "Set up 2FA" to the page.
And / or to add a banner to prompt people to secure their account with 2FA.
I am aware 2FA does not prevent all vectors of attack, but it improves the security of the accounts substantially.
@geemus your suggestions might overlap with: https://github.com/rubygems/rubygems.org/issues/2106
mediafinger
on 26 Aug 2019
https://github.com/rubygems/rubygems.org/pull/2129
This PR allows you to audit your fellow owners. c/c @geemus
lmansur
on 18 Sep 2019
We emailed all active users to enable MFA who didn't have it enabled. You can audit your co-owners using owners page or using the feature implemented by Imansur. We have also separated settings (which has MFA settings) and edit the profile page in #2537.
I feel there is enough literacy about MFA being available on rubygems.org as of now and settings are easy enough to find. Please open an issue on the guides repo if you have suggestions about improvements about docs/instructions.
sonalkr132
on 22 Oct 2020
Related issues
h0jeZvgoxFepBQ2C
路
4Comments
nicolasleger
路
10Comments
radar
路
5Comments
localhostdotdev
路
8Comments
suriyaa
路
7Comments
Most helpful comment
In a similar vein, I'd like to be able to audit my co-authors to ensure they have enabled and/or remove them from authorship (but I don't see a way to figure this out). Just let me know if this should be a distinct issues.