2fa requirement for manual trigger of a pipeline

This is a “companion to” force 2FA for user in an organization , as it is hard to implement.

I’d like to see an option for pipelines which lets us require 2fa to trigger a manual build.

Here’s the typical scenario:
I’ve created a pipeline to deploy a new version of out website, which I’m letting our admins do, but I want to be sure that their laptops haven’t been compromised, so I’d like to make sure they used 2fa.

I know I can roll that myself using the graphql api (thanks Rose for the pointer) and check if the user has 2fa configured, but that is a bit convoluted.


Hi Martin!

Thanks for the suggestion.

It sounds to me like the “right way” might be to enforce 2FA at an organization level, which you’ve seen is already requested here, and which I think we’re planning to do at some point.

require 2fa to trigger a manual build?

This is really interesting, but I’m not sure how to do it. As in, you can only use the New Build button if you have 2fa set up? Or you have recently authenticated?

What about builds created through the APIs or webhooks, are they considered out of scope? i.e. is this best effort?

Correct. APIs and webhooks are out of scope, but it would be nice if you tracked if the API key was created by a user with 2fa enabled, so you avoid privilege escalation.

… would be nice if you tracked if the API key was created by a user with 2fa enabled …

This is a nice suggestion — if we add the ability to restrict organization membership to only users with 2fa enabled then we should probably only allow tokens created or confirmed with 2fa to access the organization, too. I’ll make sure this gets fed into our work on 2fa enforcement.