Yubikey as 2FA option for Manager?
Are there any plans to support Yubikeys as a second login factor for the Manager interface, whether via FIDO/U2F or Yubikey-generated OTPs?
65 Replies
scrane
Linode Staff
Hey there!
Adding options for 2FA like Yubikey or FIDO/U2F is definitely on our radar. While I can't give an estimate yet, I'll make sure to add your request to our internal issue tracker to make the desire for this feature known. If there's anything else we can do for you, please don't hesitate to let us know.
Bump! I asked a question earlier about webauthn, which I believe would be an easy way to support the use of FIDO or FIDO2 devices like Yubikeys. My registrar now supports FIDO, and so does Google; my Linode interface is starting to "stick out" as the single most vulnerable element of my domain setup. I can enable one of your other 2FA options, but I'm very uncomfortable with the "must trust my phone" element of the existing options; to be frank, I don't really think of my phone as being a trusted computing environment.
Please consider supporting FIDO or FIDO 2, and maybe do it using webauthn!
Thanks for all of your great work.
Bump, U2F would be great.
I'm currently using yubikey's 2FA functionality but this requires a sudo yubioath -s2 6 + copy paste every time and doesn't benefit from the security of the hardware button press.
+1, yes. Please support 2FA using U2F! Not all of us have a smartphone with us all the time.
I would also like to have U2F for logging into Linode. Smart phones are less and less trustworthy. It would be great to be able to use my Yubikey or a Google Titan key without having to use an authenticator app as well.
Thanks.
This is another bump for U2F for 2FA. I'm a big fan of Yubikey and use them whenever possible. Having it to protect Manager would be amazing.
Bump! It's been more than a year since I posted on this thread, so I'm giving myself permission to do it again. Please please please? Security is sliding right down the hole, these days. I want to get something solid set up before the US tries to get back doors on everything (cf. recent eff.org postings…).
John Clements
+1 for U2F 2FA! Maybe Solokeys as well as yubikey (who seem to be proprietary/closed-source)?
Bump! New news on this front from Ars Technica, in an article entitled "Apple has finally embraced key-based 2FA. So should you." (https://arstechnica.com/information-technology/2020/07/apple-has-finally-embraced-key-based-2fa-so-should-you/). I imagine that the "you" referred to in the article is users, but it applies equally well to companies such as Linode.
A number of years ago, I did a brief security audit, and discovered that my Linode login was my number one most compromisable point of entry. An attacker that gains control of my Linode login can easily get root permission on all of my servers, and install whatever evil software they want.
What about 2FA such as Authy? Honestly, the additional security provided by these authenticators is utterly compromised by the existence of combined tools such as 1Password. Since 1Password can act as an authenticator, then suddenly my 1Password password becomes again a "golden key" that can bypass 2FA. You may choose to blame my foolish decision to entrust my authenticator credentials to 1Password, but I guarantee you that professionals all over the world will do the same thing, until they are forced not to by mechanisms based on true hardware authentication.
Put simply, without the best possible protection, Linode is simply asking to be the next headline: Promising Startup Destroyed by Lax Security. Hardware authentication is absolutely necessary for any person or business that wants to securely protect their infrastructure. Without hardware authentication, Linode is just playing in the minor leagues.
watrick
Linode Staff
Thanks for bringing this up again and for linking to that article. As Rob mentioned back a couple of months ago, we have been looking into this. I've added the recent requests to our internal feature tracker.
I also appreciate you outlining some of the caveats that make you not want to use currently available options. That said, I would recommend being very cautious about outlining any personal security practices on a public forum.
+1 Here for the yubikey support. Conscious this request has gone through, just want to make sure Linode is aware this is still a desired feature :) (also any updates on the progress would be very welcome)
rdaniels
Linode Staff
rdaniels
Linode Staff
Re-bump, is this request any closer to being picked up? I understand implementing it is probably non trivial, however I believe it is an important feature for the future of Linode.
I've recently been rolling out mandatory U2F or SSH+yubico-OTP throughout our organisation for critical services and infrastructure. The Linode Manager is one of the most sensitive pieces and yet the only part still stuck on software based 2FA which makes me nervous when I need to give others remote access.
This is not a complaint, I love your service, i'm just trying to stress how important this feature is for many of us.
I would ALSO really like U2F. It's much better than having to shuffle around a bunch of separate authenticators.
rdaniels
Linode Staff
@ls-tombrierley and @electricblue We don't have any updates at this time, but I've made sure to pass along your feedback and included your votes in our internal tracker for future reference. Thanks for sharing your thoughts with us!
I hate to say it, but as much as I love Linode, I'm starting to think about migrating to another service. I have absolutely zero other complaints, but @ls-tombrierley hits the nail on the head: this is becoming a glaring security hole. Please please please move Linode into the modern age.
Thank you so much for all of the work you do!
I'm getting very frustrated with the lack of action on this; this is a huge security problem. You just added a blog post called "Credible Alternative Cloud Provider Checklist: 6 Must-have Capabilities".
https://www.linode.com/blog/alternative-cloud/alternative-cloud-provider-checklist/
Strangely, this checklist doesn't seem to include "up-to-date security infrastructure". The failure to support hardware authentication is a real problem for Linode. It's been years that you've had to fix this problem. I'm very tired of apologizing for Linode in this regard.
Just another bump. As folks have mentioned, we run some pretty important stuff on our Linode servers. 2FA via U2F or FIDO2/webauthn would give a lot of us piece of mind. We're in the process of supporting it our own software. ;)
And another bump. This would be extremely convenient. I'd also like two things along with it:
- The ability to register more than one device on one account. This way I can have a backup key, or different format keys (eg, USB A and USB C).
- The ability to use a key for more than one account. This can be useful in some scenarios. For instance at AWS, my company can give me an user inside the organization, and then I can use my own personal Yubikey on it without it conflicting with my personal AWS account.
+1 for U2F with yubikey - two and a half years have passed and still no progress with this whatsoever. Competitors have it (I could name them), but when will it be finally integrated with Linode? It's not that hard to integrate and could have been done a long time ago!
Is there a particular reason U2F/FIDO is not implemented? It's really not that complicated to implement.
I would like express my interest as well.
I understand properly implementing this is difficult, I feel like this is a very important feature.
My servers hold some of the most sensitive data I have. It feels strange having hardware keys required to login to the server, but being able to gain root access to the server from the cloud manger without them.
+1 on multiple Yubikey support from me. U2F preferably; requiring FIDO2 specifically would be an inconvenience to the large, established user base.
+1 This is an important feature. Smartphone based 2FA does not really cut it any more for critical infrastructure.
Just signed up to Linode and was floored to find that there is still no option to add any kind of hardware token to the 2FA setup in the management system.
Absolutely. Floored.
It's mid-2022 now. Hardware token support is becoming nearly ubiquitous, right on the heels of software 2FA tokens, even on sites where it's really not protecting anything particularly important. This thread is now moving toward it's 4th birthday, with zero apparent progress on supporting hardware 2FA tokens.
And no reason given why it hasn't already been implemented.
I am the opposite of impressed right now.
This is absolutely appalling. I've been posting on this thread for three years and six months. I'm struggling to stay civil. There has just been a serious attack on Authy, apparently compromising many 2FA keys. Here's an article in Ars Technica:
In this article, it mentions that Cloudflare employees were not successfully phished. The article writes:
"One company that was targeted but didn't fall victim was Cloudflare. The reason: Cloudflare employees relied on 2FA that used physical keys such as Yubikeys, which along with other FIDO2 compliant forms of 2FA, can't be phished. Companies spouting the tired mantra that they take security seriously shouldn't be taken seriously unless phishing-resistant 2FA is a staple of their digital hygiene."
(Ars Technica, "The number of companies caught up in recent hacks keeps growing", Dan Goodin, 2022-08-26)
Folks, it's time for us to leave; Linode is just not getting the job done. Any recommendations for alternatives?
Vultr supports Yubikey. Here is their article on using two-factor authentication with their control panel. Hopefully Linode will catch up with their compotition.
Bump, again. Is it still on the radar? A real shame this isn't an option.
tlambert
Linode Staff
Hey there!
As it stands now, we still don't have an update for on the implementation of additional forms of 2FA for Cloud Manager.
I went ahead and submitted all your recent feedback to our internal tracking for this feature.
Yo, its been 4 years and you guys still haven't added 2FA support for YubiKey…. is this really "on your radar" still or are you just making people wait?
Can I please get some Linode staff on this? I was giving ProtonMail a hard time about this because they didnt support it and about 2 months later it was pushed…. how does Linode not support 2FA with hard tokens.
Can you please give the community an answer.
I expect this sort of functionality in 2022; Especially with Apple's new utilization of the standard with Passkeys. This is one of the few accounts I can't use Passkeys with yet…
Come on, Linode, we're still waiting…
I switched to using GitHub for Linode authentication. It's way more convenient and it supports 2FA. I guess directly implementing 2FA would be better, but authenticating via GitHub is good enough for me.
+1 on this. It's now 2023, and it's long past time.
"…it's on our radar" - friendly and helpful inactivity.
I also would like to express interest in this. Currently neither you nor Digital Ocean support this but if you did I would be more likely to choose you over them when picking which provider to use.
tlambert
Linode Staff
While the Cloud Manager does not have direct key support for your Yubikey, a workaround that will work for some folks will be to utilize the Yubico Authenticator App. Similar to Duo or Google Authenticator, this app creates TOTP authentication codes that are backed by your Yubikey hardware.
This YouTube video titled Yubico Authenticator App offers instructions on setting up the app using your Google account. You can use these same instructions to configure Cloud Manager 2FA to use the Yubico Authenticator App.
If this doesn't work for you, another potential workaround is to use your Yubikey as your MFA device for your Google account, and configure Third Party Authentication on Your Linode User Account using Google. This will indirectly allow you to use your Yubikey to login to your Linode account.
I understand these are workarounds and may not be exactly what some of you are looking for. Direct Yubikey support is still something that is in our feature request tracker. Hopefully this gives you some options for the near future.
Its 2023, another year, another round of hacking, and Linode still does not have YubiKey support for 2FA. Its almost as if the hacks at Github and CircleCI are meaningless and security is an afterthought to the company. Can we get an update, this is absurd.
@scrane [@watrick] (/community/user/watrick) @rgerke @tlambert can we get some kind of an update on this. I cannot believe this thread has been open this long and we have nothing.
Dear people of the future, here is what we know so far. Back in 2019 Hardware 2FA was discussed. Nothing else has happened, and there are no confirmed plans for it to happen. You are now all caught up.
Also bumping here… I've been locked out of my Linode account once because of stupid 2FA code apps and a bricked device.
I have 3 hardware keys that i use whenever and wherever I truly care about the account. Weirdly, it's financial institutions that lag the most here, as well as… Linode.
I'd rather not have to worry about this anymore, nor round-robin link my auth to some other service i may or may not want or whose terms I'd rather not agree to.
Oh! Hi! Here I am again. I'm writing to say that I think FIDO2 support is way stupid, and Linode definitely should not support FIDO2 keys. And also, this is definitely me writing this, and not somebody that hacked my account using a cheap off-the-shelf TOTP violator kit that's for sale as described by this Ars Technica article:
Actually, maybe you shouldn't read that article, sorry I posted it.
Yours very sincerely,
Hacker^H^H^H^H^H^HJohn Clements
Still no 2FA support, no response to my comments even though I have tagged users that have previously been identified as employees of Linode, are they all no longer with the company?
Either way, I have found a better Linode alternative that supports 2FA. I am closing my account and moving my instances elsewhere.
Goodbye Linode. I hope the rest of you smarten up and leave Linode as well. This level of support (or lack thereof) is insanely stupid.
jackley
Linode Staff
Hi folks. I understand this is a high priority feature request for all of you, and I've personally shared this thread internally several times. The status is still the same: this feature request has been tracked, but we don't have a timeline for releasing hardware-based 2FA support.
We shared some workarounds above – these are going to be the best options until hardware-based 2FA support is added to the Cloud Manager:
While the Cloud Manager does not have direct key support for your Yubikey, a workaround that will work for some folks will be to utilize the Yubico Authenticator App. Similar to Duo or Google Authenticator, this app creates TOTP authentication codes that are backed by your Yubikey hardware.
This YouTube video titled Yubico Authenticator App offers instructions on setting up the app using your Google account. You can use these same instructions to configure Cloud Manager 2FA to use the Yubico Authenticator App.
If this doesn't work for you, another potential workaround is to use your Yubikey as your MFA device for your Google account, and configure Third Party Authentication on Your Linode User Account using Google. This will indirectly allow you to use your Yubikey to login to your Linode account.
I would encourage everyone here to voice their feedback about this feature request in our Feedback form (you may need to disable ad-blockers to get the form to appear):
I'm genuinely pleased to hear a response, even if it's not the response I was looking for; many thanks, @jackley . When using the Feedback form, would "Contact Support" or "Report a Security Issue" be the most appropriate path to beg for direct FIDO2 support?
Thanks again,
John Clements
Also: @redteamcafe , do you mind sharing the name of the provider you found? If I can find another provider I trust, I'd love to leave Linode as well.
I agree that this is now a security issue
SMS verification or answering questions is not a serious approach
We are downgrading Akamai Linode's rating in the requirements grid
So when is this finally coming? It's been 4 1/2 years!
Any serious company must absolutely use FIDO/U2F keys, isn't Akamai a serious hosting company?
There's no point having all sorts of firewalls and DDoS protection if the login itself doesn't rely on something very solid, and right now without the ability to use FIDO/U2F keys it does not.
What are these developers doing all day for this to still not be done after 4.5 years??? Perhaps time to "renew" your staff and bring some people who get stuff done?
While the Yubico authenticator app is a nice workaround, this feature has been requested for YEARS. This thread (itself) is over 4 years old. There are little excuses. This is not some website that offers a service to casual users, the people that sign up are tech experts or passionate hobbyists. How long is it going to take you guys to implement the next security feature when the industry moves to a different standard or practice?
Anyone coming to this post in the future, just switch to Vultr or a simmilar provider (AWS, GCP, etc….), Linode has proven that they do not care, and that implementing security features is not a priority to them, they do not deserve your support. I understand if this was maybe year or so old, but this thread has gone on for so long, has received little attention or support and is clear evidence that Linode just doesnt care.
I'm finally done with this. Linode used to be able to justify their premium prices with premium service and features; that's no longer the case. I'm in the process of migrating my servers away to a competitor. BYEEEEEEE!
5 years now that this very important feature has been requested… Where are we with this???
Hello,
Using passwords, or SMS, or other legacy options such as 3rd party hosted google authentication, is a security violation for my org.
Ideally webauthn passkey login, such as with a yubuikey, should be the primary way to access linode services. While using webauthn as 2FA is better than nothing, so long as any password exists that is a problem.
Ideally, passwords, 3rd party authenticators like Symantec, email 2fa, and SMS should not even be allowed, because we dont want our administrators to be allowed to enable such things - because they can be used for account hijack and thus are problematic simply by existing as options.
Please consider implementing webauthn passkey login ASAP.
