Two-Factor Authentication

Account security is platform security. Our policy on mandatory 2FA.

The Context#

OpenCommit is a code hosting platform. That means accounts are not just profiles, they are keys.

Keys to:

  • repositories,
  • releases,
  • issue trackers,
  • project roadmaps,
  • CI tokens and integrations,
  • maintainership, trust, and reputation.

In the broader ecosystem, account takeovers are one of the most common ways projects get compromised. Sometimes it’s dramatic (malicious releases, backdoors). Often it’s mundane (spam, credential stuffing or opportunistic abuse for example). Either way, the impact isn’t contained to one person. When an account is compromised, communities lose time, users lose trust, and maintainers lose sleep.

Passwords alone are not enough. They get reused, phished, leaked, guessed, and harvested. Even careful people get caught by a convincing login prompt or a reused password from a breach years ago.

Especially in the light of this day and age, where the world is unstable and hackers abound trying to poison supply lines, we felt we would be remiss if we did not force 2FA.

So.. this is why we mandate Two-Factor Authentication (2FA) during registration on opencommit.eu.

How We Think About This#

We see mandatory 2FA as a baseline safety measure, not a premium feature and not an accusation.

A few principles guide our thinking:

  • A forge is shared infrastructure

    One compromised account can affect many people. This is not only about personal security; it’s about protecting projects and their users.

  • Security controls should be boring and default

    The most effective security measures are the ones you don’t have to remember to enable later.

  • We prefer prevention over cleanup

    Incident response is expensive, slow, and never perfect. Preventing takeovers is cheaper than undoing damage.

  • We aim for a consistent minimum standard

    If only “high-profile” users enable 2FA, attackers will simply target everyone else. Baselines work only when they apply broadly.

  • We still care about accessibility and usability

    Security that locks people out is not security. 2FA needs to be reliable, recoverable, and supported with clear processes.

  • Enabling 2FA right at the start of the platform is easier than later

    By enforcing 2FA right from the start of the platform, we not only hope it will work as a deterrence against spam but also encourage people to take security seriously. It is also much easier to do now rather than add it later.

In short: 2FA is one of the simplest steps we can take to improve protection of our ecosystem.

What We Commit To#

Here’s what mandatory 2FA means on OpenCommit, in practical terms.

We commit to:

  • Requiring 2FA for all newly registered accounts

    When you create an account on opencommit.eu, you must set up 2FA as part of registration.

  • Treating account security as a platform responsibility

    We don’t see this as “users should be more careful”. We strive to design for the reality that phishing and credential leaks happen.

  • Keeping the policy simple and predictable

    This is a baseline rule, not something enforced selectively.

  • Providing a clear path when things go wrong

    People lose devices. Authenticator apps break. Life happens. We will maintain a documented recovery process and handle requests carefully and consistently.

We will not:

  • Pretend that passwords alone are an acceptable security level for a modern forge.
  • Make exceptions “because it’s inconvenient” while expecting everyone else to carry the risk.
  • Treat 2FA as a substitute for other security work. It’s one layer, not a magic shield.

What We Ask From You#

We require 2FA, but we also need you to use it responsibly.

We ask that you:

  • Set up 2FA in such a way that you can keep access

    If you can, use a method that you can back up and migrate when you change devices.

  • Plan for recovery

    Make sure you understand how you’ll regain access if you lose your primary device.

  • Be extra careful with login prompts

    2FA helps, but phishing still exists, especially attacks that try to capture both password and 2FA codes in real time.

  • Tell us quickly if you suspect compromise

    If you think your account has been accessed by someone else, report it as soon as possible so we can help contain the impact. You can do so through the platform by making an issue at https://opencommit.eu/opencommit/support/issues or by sending an email to security@opencommit.eu

How This Might Evolve#

Security is not static, and neither is OpenCommit.

We expect that:

  • We may refine which 2FA methods we support as standards evolve.
  • We may improve recovery processes to be both safer and less painful.
  • We may add additional protections for sensitive actions if needed. (for example, when changing security settings or transferring ownership)

What will not change is the core idea: OpenCommit is shared infrastructure, and baseline security is part of operating it responsibly.

Calendar February 16, 2026
Edit Edit this page
OpenCommit Documentation - © 2025-2026, OpenCommit Foundation. This work is licensed under CC BY-SA 4.0

Fair web analytics Access your usage data