Require second factor (security key) in Common Requirements

[TomHennen]

The 'Common Requirements' requires multi party auth but doesn't explicitly require 2FA.

Should this be a requirement?

Could we make the requirement be the use of a hardware backed security key (e.g. YubiKey)? Maybe just at higher levels?

[mlieberman85]

+1 I think it's an easy to implement requirement for most places.

[joshuagl]

2FA as common requirements at higher levels sounds more than reasonable. Agree that hardware backed security key is the gold standard, do we want to recommend for/against other options? SMS is worth recommending against. What about authenticator apps?

[mlieberman85]

Probably worth recommending security key and if not supported then authenticator app? Personally I use yubikey for stuff, but not everything supports it.

[joshuagl]

We're deferring definition of SLSA L4 until after 1.0, which includes the multi-party approval Access requirement that this issue relates to.

[MarkLodato]

Actually I think we should consider this for v1.0. The Common Requirements section is getting replaced by the guidelines + survey/self-attestation. In those guidelines, we might want to recommend 2FA for all administrators? Shall we keep it in v1.0 for now? We can always choose to defer later if we're short on time.

[joshuagl]

Recommending 2FA for all administrators as part of the guidelines will be great for 1.0, yes please.

[shaunmlowry]

Is having a complete set of guidelines alongside the core spec in scope for the 1.0 milestone?

[joshuagl]

Guidelines for "build system/service" (name liable to change) implementers has been agreed under the "evidence of security claims" part of the SLSA 1.0 proposal, assuming the PR for proposal 3 is approved.