On Tue, Jun 18, 2024 at 12:19:19PM GMT, ELFORD, Richard (NHS SOUTH, CENTRAL AND WEST COMMISSIONING SUPPORT UNIT) wrote: > Dear Git > > I am writing to enquire about multi factor authentication on cloud hosted > software. As part of our ongoing efforts to enhance cybersecurity and > protect sensitive data, we are seeking information related to the NHS > England Multi-Factor Authentication (MFA) Policy with regards to software > products which we have from your company. There is no company, so this questionnaire is not relevant. Git is an open-source project without any one particular entity "owning" it. To answer your question specifically, git does not have a builtin authentication layer -- it relies on the underlying network protocol for this purpose. Any MFA implementation and enforcement would be dependent on the protocol used to access git repositories. I recommend using ssh pre-shared keys on FIDO2-capable tokens -- it's the most robust and least user-hostile option in my experience. -K
