Organization requires members to have two-factor authentication enabled
organization_members_mfa_required
GitHub organization settings require all members to use two-factor authentication (2FA).
The evaluation determines whether access to organization resources is conditioned on members having 2FA enabled.
Risk
Without enforced 2FA, stolen or reused passwords enable account takeover, leading to:
- Loss of code integrity via unauthorized commits
- Confidential data exposure from repos and secrets
- Availability impact from settings changes, token revocation, or deletions
prowler github --checks organization_members_mfa_required
Recommendation
Enforce org-wide 2FA for all members and collaborators, preferring secure methods (passkeys, security keys, authenticator apps, GitHub Mobile) over SMS.
Apply least privilege, integrate with SSO, restrict token scopes, and use branch protection for defense-in-depth. Include bots/service accounts and define recovery options.
Remediation
- Sign in to GitHub as an organization owner with 2FA enabled
- Go to your organization > Settings
- In the left sidebar, click Security > Authentication security
- Under Two-factor authentication, select Require two-factor authentication for everyone in your organization
- Click Save, then Confirm
Source Code
Resource Type
NotDefined
References
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization