MavenCentral & TFA

One of the tasks is to enable a second factor for the crucial login to the relevant open source repository system.

For java, that’s maven-central, so, https://oss.sonatype.org/

However, I can’t find any way to enable TFA here. I’ve filed a ticket with sonatype nexusmanager about it, but let’s assume they don’t support it. How can I best live up to the spirit of this task? Right now the password is an extremely long random string that I’ve stored in a vault, which makes it more or less TFA (you need the password of the vault, and the vault file, which is only on a few hardware devices I own and is synced between them locally)… but if, I dunno, my pastebuffer leaks or whatnot, someone could still push a new release of lombok without my authorization.

Any other java lifters who have experience on this one?

1 Like