Skip to main content

Эта версия GitHub Enterprise Server была прекращена 2024-03-26. Исправления выпускаться не будут даже при критических проблемах безопасности. Для повышения производительности, повышения безопасности и новых функций выполните обновление до последней версии GitHub Enterprise Server. Чтобы получить справку по обновлению, обратитесь в службу поддержки GitHub Enterprise.

Обязательная двухфакторная проверка подлинности в вашей организации

Владельцы организации могут требовать от участников организации и сторонних участников совместной работы, чтобы включить двухфакторную проверку подлинности для их персональных учетных записей, чтобы усложнить для злоумышленников доступ к репозиториям и параметрам организации.

Кто эту функцию можно использовать?

Requiring two-factor authentication is available to organizations on a GitHub Free or GitHub Team plan, as well as organizations on GitHub Enterprise Cloud or GitHub Enterprise Server. With GitHub Enterprise Cloud, this feature is unavailable for organizations in an корпоративный с управляемыми пользователями.

About two-factor authentication for organizations

Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. You can require all members and outside collaborators in your organization to enable two-factor authentication on GitHub Enterprise Server. For more information about two-factor authentication, see "Securing your account with two-factor authentication (2FA)."

Warnings:

  • When you require use of two-factor authentication for your organization, members and outside collaborators who do not use 2FA will be removed from the organization and lose access to its repositories. They will also lose access to their forks of the organization's private repositories. You can reinstate their access privileges and settings if they enable two-factor authentication for their personal account within three months of their removal from your organization. For more information, see "Reinstating a former member of your organization."
  • You will also need to enable 2FA for unattended or shared access accounts, such as bots and service accounts. If you do not configure 2FA for these unattended accounts after you've enabled required two-factor authentication, the accounts will be removed from the organization and lose access to their repositories. For more information, see "Managing bots and service accounts with two-factor authentication."
  • If an organization owner, member, or outside collaborator disables 2FA for their personal account after you've enabled required two-factor authentication, they will automatically be removed from the organization.
  • If you're the sole owner of an organization that requires two-factor authentication, you won't be able to disable 2FA for your personal account without disabling required two-factor authentication for the organization.

Authentication methods that support 2FA

Authentication MethodDescriptionTwo-factor authentication support
Built-inAuthentication is performed against personal accounts that are stored on the GitHub Enterprise Server appliance.Supported and managed on the GitHub Enterprise Server appliance. Organization owners can require 2FA to be enabled for members of the organization.
Built-in authentication with an identity providerAuthentication is performed against accounts that are stored on the identity provider.Dependent on the identity provider.
LDAPAllows integration with your company directory service for authentication.Supported and managed on the GitHub Enterprise Server appliance. Organization owners can require 2FA to be enabled for members of the organization.
SAMLAuthentication is performed on an external identity provider.Not supported or managed on the GitHub Enterprise Server appliance, but may be supported by the external authentication provider. Two-factor authentication enforcement on organizations is not available.
CASSingle sign-on service is provided by an external server.Not supported or managed on the GitHub Enterprise Server appliance, but may be supported by the external authentication provider. Two-factor authentication enforcement on organizations is not available.

Prerequisites

Before you can require organization members and outside collaborators to use two-factor authentication, you must enable two-factor authentication for your account on GitHub Enterprise Server. For more information, see "Securing your account with two-factor authentication (2FA)."

Before you require use of two-factor authentication, we recommend notifying organization members and outside collaborators and asking them to set up 2FA for their accounts. You can see if members and outside collaborators already use 2FA. For more information, see "Viewing whether users in your organization have 2FA enabled."

Requiring two-factor authentication in your organization

  1. In the upper-right corner of GitHub Enterprise Server, select your profile photo, then click Your organizations.

    Screenshot of the dropdown menu under @octocat's profile picture. "Your organizations" is outlined in dark orange.

  2. Next to the organization, click Settings.

  3. In the "Security" section of the sidebar, click Authentication security.

  4. Under "Two-factor authentication", select Require two-factor authentication for everyone in your organization, then click Save.

  5. If prompted, read the information about members and outside collaborators who will be removed from the organization.

  6. In the text field, type your organization's name to confirm the change, then click Remove members & require two-factor authentication.

Viewing people who were removed from your organization

To view people who were automatically removed from your organization for non-compliance when you required two-factor authentication, you can search your organization's audit log for people removed from your organization. The audit log event will show if a person was removed for 2FA non-compliance. For more information, see "Reviewing the audit log for your organization."

  1. In the upper-right corner of GitHub Enterprise Server, select your profile photo, then click Your organizations.

    Screenshot of the dropdown menu under @octocat's profile picture. "Your organizations" is outlined in dark orange.

  2. Next to the organization, click Settings.

  3. In the "Archives" section of the sidebar, click Logs, then click Audit log.

  4. Enter your search query. To search for:

    • Organization members removed, use action:org.remove_member in your search query
    • Outside collaborators removed, use action:org.remove_outside_collaborator in your search query

You can also view people who were removed from your organization by using a time frame in your search.

Helping removed members and outside collaborators rejoin your organization

If any members or outside collaborators are removed from the organization when you enable required use of two-factor authentication, they'll receive an email notifying them that they've been removed. They should then enable 2FA for their personal account, and contact an organization owner to request access to your organization.

Further reading