Making WHATWG a 2FA organization

[annevk]

I think it would be nice if we enforced 2FA for the entire organization. That way there's less manual checking when giving people more power and would also guard the organization against people lowering their amount of protection.

Given https://github.com/orgs/whatwg/people?query=two-factor%3Adisabled we'd need to do a decent amount of outreach first, but I'm willing to drive that if there's support for doing this.

See also #113.

[domfarolino]

Does https://github.com/orgs/whatwg/people?query=two-factor%3Adisabled only show correct results for owners or something? I have 2FA enabled, and from my view, Domenic, yourself, and I are all on that list, which isn't correct (for at least me, and presumably you two).

[domenic]

That... appears to be something like what's happening. I can reproduce in incognito mode, where (I would guess) it is just showing everyone in the organization. Also, some of the UI---including the UI for filtering by 2FA---is disabled in incognito.

I guess the idea is non-owners shouldn't be able to see peoples' security status. But IMO it's a GitHub bug that the search field still can be populated with "two-factor:disabled" with no warning about what's happening.