policy name: two_factor_authentication_not_required_for_org
severity: HIGH
The two-factor authentication requirement is not enabled at the organization level. Regardless of whether users are managed externally by SSO, it is highly recommended to enable this option to reduce the risk of a deliberate or accidental user creation without MFA.
If an attacker gets the valid credentials for one of the organization’s users they can authenticate to your GitHub organization.