Improve access to critical Rust infra with MFA and hardware security keys

[ubiratansoares]

We want to improve security controls over critical Rust infrastructure, making it sure that contributors with high-level access leverage the best security practices available.

While our policies already require multi-factor authentication (MFA) when accessing services like Github or AWS, the status quo for most contributors has been setting up a MFA using personal devices, either using TOTP apps from a personal mobile phone, or perhaps another software solution like 1Password authenticator. There are those whom leverage a personal hardware security key as well.

Hence, there is room to elevate our security standards by introducing a policy that encourages and facilitates using standard hardware security keys as the way to go when dealing with MFA, in particular on top of solutions compatible with the FIDO U2F standard.

These hardware keys would be provided by the Rust Foundation and would be possessed by Rust Project members with access to infrastructure. In particular, the Rust Foundation is willing to provide Yubikeys series 5 devices to support this effort. Yubico is a lead provider in this landscape, and Yubikeys should compatible with nearly all infrastructure services we currently use.

By adopting such hardware keys, both Rust Foundation and Rust project members with high-level access would benefit from a strong hardware-based cryptography solution for MFA, which means an improvement over software-based solutions, even when setting up a TOTP app is the only option. In addition, we'd offer a path for people to decouple MFA from personal devices or accounts, which is another improvement considering situations like when a personal device gets lost.

Moreover, it's easy to setup an additional hardware security key for the sake of redundancy, which is important to avoid having people locked out from accounts in the case where a (main) hardware key becomes unavailable for any reason.

A couple of things to consider as part of this effort :

• make a decision about criteria we will use to categorize a service or product as "critical"
• evaluate on which critical services actually support MFA with hardware security keys
• make a decision on whether we want to use hardware security keys as MFA method for shared accounts
• document a policy covering how people should use hardware security keys, which services are covered, etc