Merge pull request #1 from google-admin/2fa

google-admin · web-flow · commit 823b07f4a577 · 2025-05-30T09:44:46.000-07:00
Add 2FA message.
diff --git a/20250530.md b/20250530.md
@@ -0,0 +1,35 @@
+# Enforcing Secure 2FA Across the Alphabet Enterprise
+
+As part of our ongoing efforts to secure Alphabet's source code, on June 30th 2025, we will **require all users accessing Alphabet-owned GitHub Organizations use only secure MFA methods**.
+
+Secure methods include the following: 
+*  Authenticator Apps (TOTP)
+*  Passkeys
+*  Security Keys
+*  GitHub Mobile App (acting as 2fa)
+
+
+Insecure methods include the following:
+*  SMS
+
+## What will happen after this change?
+Users will receive an email from GitHub notifying them of this change. 
+Users will be immediately locked out from accessing organization resources and will be prompted to set up a secure method or remove insecure methods. Once this is complete, access is immediately restored. 
+
+ > [!NOTE]
+ > This will also impact external collaborators and non-Googler members of Alphabet-owned Organizations. 
+
+## What should I do ahead of time? 
+We strongly recommend reviewing your MFA methods ahead of this change to ensure that:
+
+1.  You have at least one secure method
+1.  (Remove SMS as a 2FA method)[https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/changing-your-two-factor-authentication-method]
+
+> [!NOTE]
+> You must add an Authenticator App prior to GitHub permitting the removal of an SMS based authentication method
+
+## What is the rollout plan?
+1.  Shortly after sending this email, there will be a butter bar added to notify users of the changes in GitHub
+1.  We will send reminder emails notifying users of this change (2 and 1 week prior to enforcement)
+1.  We will begin a phased roll out on June 30th, 2025 to gather initial feedback
+1.  Pending the success of 3, we’ll aim to rollout to all Organizations by July 14th, 2025
