Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossaryContacting Support and Reporting Bugs
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidanceDetermining Control Applicability
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: AzureAuto Checks: GCPAuto Checks: GitHubEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
GitHub Auto Checks Detailed Explanations
Ensure secret scanning is enabled to detect sensitive dataEnsure code owner approval is required for owned code changesEnsure at least two approvals are required before merging codeEnsure branches are deleted automatically after mergingEnsure unresolved conversations block mergesEnsure force push is disabled for all branchesEnsure admins are subject to branch protection rulesEnsure a CODEOWNERS file exists in the repositoryEnsure inactive repositories are archivedEnsure all required status checks pass before mergingEnsure linear history is enforced on the default branchEnsure branch protection is enforced on the default branchEnsure the default branch cannot be deletedEnsure vulnerability scanning is enabled for repository dependenciesEnsure public repositories include a SECURITY.md fileEnsure all organization members have MFA enabledEnsure only signed commits are accepted

Ensure all organization members have MFA enabled

Framework Reference: A.8.5 (Secure Authentication) Integration: GitHub – Organization Security Settings

Why this matters

Multi-factor authentication (MFA) provides an essential layer of defense against unauthorized access by requiring both a password and an additional verification factor (such as a mobile app code or hardware token).
Enforcing MFA across all organization members reduces the risk of account compromise, credential theft, and unauthorized repository access.

Without MFA, a single stolen or reused password can expose the entire organization’s codebase, secrets, and internal tooling to attackers.

What this check does

This check verifies whether the GitHub organization enforces “Require two-factor authentication for everyone in the organization.”
When enabled, all organization members, outside collaborators, and billing managers must have MFA active on their accounts to retain access.

If this setting is not enabled, or if one or more members do not have MFA configured, the check will fail or show “Unable to verify.”

How to fix it

From the GitHub Web Console

  1. Sign in to GitHub as an organization owner.
  2. Navigate to Your organizations → Settings → Security → Authentication security.
  3. Under Two-factor authentication, select Require two-factor authentication for everyone in the organization.
  4. Review the warning message—members without MFA will be removed from the organization.
  5. Click Enable two-factor authentication requirement.

After this setting is enforced, only users with MFA enabled can access organization repositories, settings, and data.

Exceptions

  • Members who do not have MFA enabled will be automatically removed from the organization when enforcement begins.
  • Organization owners can re-invite users once they have enabled MFA on their GitHub accounts.
  • Enterprise-managed users (via SSO or GitHub Enterprise Cloud) may have MFA enforced through their identity provider instead.

Further Resources

 

Was this article helpful?

Powered by Product Fruits