Two-factor-authentication now required for members and r+ on rust-lang, rust-lang-nursery, and rust-lang-deprecated repos



In light of the recent large-scale reused password attack on GitHub we’ve made the decision to require two-factor-authentication for all members of the rust-lang, rust-lang-nursery, and rust-lang-deprecated GitHub organization, as well as all those with bors r+ power. I have removed all GitHub write access for those without 2FA already, and will shortly review the r+ list to do the same. I apologize for the short notice, and I know this will be an inconvenience for some, but it’s necessary.

I will send emails to those affected today. To restore your access please turn on 2FA then send me an email at


I’ve now revoked r+ for everybody that either doesn’t have 2FA or whom I can’t tell one way or the other. As part of this change we’re going to need for all reviewers to be in the GitHub Rust-Push group so that we can see who has 2FA on.

I’ll be sending emails to those affected now, though I probably will not bother notifying reviewers who have been inactive for a long time (there were a lot).


I set up 2fa. Could I have access again?