Linode Manager Two-Step Authentication

May 2, 2013 4:34 pm

We’re pleased to announce two-step verification as an optional extra layer of protection for your Linode account. Once enabled, logging in will require a six-digit security token in addition to your username and password.

auth-code2

You can enable this new feature by clicking on My Profile from within the Linode Manager, and then “Enable Two-Factor Authentication”.  You’ll be shown your shared secret passphrase and its QR code, which you can scan into your two-factor app. Install one of these apps, scan the QR code shown in the Linode Manager, and then use the app to generate a secure token every time you log in.

Any app that supports the Time-based One-Time Password (TOTP) algorithm can be used to generate the security token for you.

Two-step verification drastically improves the protection of your account by requiring not just something you know (your username and password), but also something you have (your mobile device).

For more information please read our two-factor authentication library article.

Enjoy!

57 Responses

  1. Sad it took what it did to finally make this a priority, but very nice 🙂

  2. Very soon we will be adding code verification to the enable two-factor workflow, as well as some sort of recovery procedure (one use code, etc).

  3. Hi

    This is great. One suggested improved after reading the library article. It would be good if the process had a confirmation where you had to type 2FA code in actually activate it. Pretty sure when setting up my GMail it wasn’t actually activated until I type a 2FA code in. This just makes sure the user is all set up before activation/locking them out and will save support time.

    Other options are disabling 2FA and reseeding the 2FA which would be nice to see.

  4. That didn’t seem to work – I have a sixteen character verification code, but when prompted during login, my code get truncated to six characters! Why is that?

  5. Dave: yup – we totally need to confirm the code. It’s coming very soon… Also, you can enable, regen, or disable 2FA from My Profile.

    Dan – feed that code or scan the QR code into the two-factor app on your mobile phone – like Google Authenticator. Then the app will generate a six-digit code that changes – use THAT code when logging in.

  6. About time!

  7. Ashfire908 – enjoy!

  8. Clicked enable two-factor authentication.

    Whoops!
    Something went wrong 🙁

    Not a good start =/

  9. Just as an fyi…it is no problem to run the same Google Authenticator app configuration on multiple devices.

    Can even run it ok on a cheap Iphone Touch as a backup.
    If like the Itouch it doesnt have camera to capture the QR code, can manually type in the code to get the same result.

    Its handy to have an authentication backup device as I now use 2FA on about 5 accounts so would otherwise be a big hassle if my phone was stolen.

  10. Are you going to enable this for Lish as well?

  11. I got the ‘whoops’ message too. I clicked it again and it worked.

  12. Ryan – argh, a bit of a session race there. We just pushed out a potential fix. If you have any issues please contact support. Sorry about that.

    Matthew – Yup. The Lish gateways will have two-factor in our next release.

  13. Thank you for this!

  14. Great to hear! Thanks for enabling this. I now feel more at ease with the security of my Linode.

  15. 🙂 Good news

    Authy has a great app that supports the Time-based One-Time Password (TOTP), The also has “backups” so you never will have to re-enter your accounts …

    https://blog.authy.com/authenticator

  16. (FYI – I work for Twilio, a platform that enables SMS delivery)

    You might also consider sending the TOTP token via SMS for non-smartphone users, or users that don’t have such an app installed on their device.

    My home boy Joel did a blog post on how to do this in Python:

    http://www.twilio.com/blog/2013/04/add-two-factor-authentication-to-your-website-with-google-authenticator-and-twilio-sms.html

  17. “Very soon we will be adding code verification to the enable two-factor workflow, as well as some sort of recovery procedure (one use code, etc).”

    Perfect! Will you make an announcement here once you have a recovery/auxiliary procedure in place?

    Cheers!

  18. indeed this is a nice feature that improves the security in the user side ie: users using the same password in multiple sites, but if linode it’s hacked (like last time) both the password and the 2FA secret are exposed anyway.

    the real question is what are you doing to prevent incidents like the last one.

    also,I never got any answer regarding why you are storing CC # if you are not PCI complaint

  19. Kevin – we’ve been discussing that, actually – thanks.

    gabriel – This is just part of a much, much larger effort that has completely consumed all efforts here at Linode for the past many weeks, and will continue to do so until the entire plan has been completed. We have literally been working around the clock on improving everything from policies and procedures to major architectural changes. Also, fwiw, we are PCI compliant – but regardless on the roadmap is eliminating us storing payment information all together. Thanks for the comments.

  20. Is there a way to use this without a smartphone?

  21. Not cool that it requires a smartphone app. Need a way to generate the OTP on a Linux system.

  22. There are scripts that implement the TOTP algo.

  23. This is a tough crowd!

    I for one am happily stunned by the pace of the recent improvements, and want to thank the folks at linode for their hard work so far.

    I’m a recent refugee from a different hosting company, and I am not used to this pace 🙂

  24. @caker – If it’s such a large effort why isn’t it being talked about? When are you going to tell us in `detail` what you’re doing to ensure things are better in the future?

    I really like the services that I’ve gotten from linode. The prices are decent for the performance. The support is excellent most of the time, but the lack of transparency (about security, and outages in general) is such a `huge` stain on your reputation. It’s essentially impossible to over look.

    good conversation about this going on over on HN btw, you guys might want to give it a look. https://news.ycombinator.com/item?id=5647384

  25. Thanks for implementing this! I have two suggestions/requests after turning the feature on and testing it a bit:

    It would be nice to not fully enable 2FA until you receive and validate a one-time code. This makes sure that someone didn’t accidentally navigate away from the page, mistype the seed value for non-camera situations, etc. IIRC most other TOTP implementations e.g. Google, Battle.net, Dropbox do this. I appreciate the implicit vote of confidence that your users won’t mess things up, but a verification step would be nice.

    It would also be nice to only require 2FA once a week/month, once per new browser/IP combo, or some other way to decrease the number of times a one-time code is necessary. Again, a lot of other TOTP implementations do this to balance usability with security.

    I’m not suggesting these features just because others do it; they actually seem like reasonable steps to make the feature more user-friendly. At least they might merit future implementation. Thanks!

  26. Great stuff! I’d love the option to print some OTP codes to, if possible.

  27. It is just me or anyone has this problem?

    I’ve successfully enabled and setup 2FA but everytime I entered the 6-digit code, it says invalid code.

  28. This was an essential addition. Great work, and thanks Linode for the effort!

  29. @JBH @jyri – TOTP is an open standard, so I imagine you will be able to find token generators for almost any platform, mobile and desktop. I haven’t tried this, but e.g. here’s a Java implementation:

    http://ecki.github.io/et-otp/

  30. Just curious, what are you using on the server side for TOTP support?

  31. @Matthew – If you’re using a smartphone app make sure the time on your phone is accurate.

  32. Trust in you guys is fully restored! Thanks.

  33. @Matthew @Scott: Also make sure there aren’t typos when you entered the 16-char seed (example of the benefits of verifying a code before turning on 2FA).

  34. Would be wonderful if we could have one-use codes via text (a la Google and Dropbox). This leaves me out in the cold since I don’t have a smartphone!

  35. OK – the system now requires confirmation by requiring a valid token before it will enable two-step on the account.

  36. @Sean: They are talking about it. Literally in this blog post. Talking about how they’re improving the security of the architecture before they are done would mean that potential attackers would know exactly what are the most vulnerable points that Linode has identified as an attack vector. You might as well give them root keys just in case they mess up.

  37. The BlackBerry app listed near the top is for the older BBOS devices, not for BB10. There is a third-party app called Authomator to fill that gap. I’ve been using it for a while for my 2-factor needs.

  38. Caker: Now we just need the ability to restrict what can be done through API, from where (IP addresses), and turn it off altogether. Although the API is awesome it is also sort of a huge hole if someone gets the info needed for it.

  39. Jeremy – that is also in the pipeline. Stay tuned.

  40. A maintenance window has been scheduled for the Linode Manager and API on Sunday, May 5th between 11:00pm and 11:55pm EDT (UTC-4). Linodes will not be affected by this maintenance, but the Linode Manager and API will be briefly unavailable.

    Just saw that in the status …. I wonder if that’s when you’re implementing more security on it.

  41. @gp Good security doesn’t work that way. http://en.wikipedia.org/wiki/Security_through_obscurity

  42. Any possibility of adding Yubikey support?

  43. Would you consider adding backup codes like Google accounts have?

  44. Great news that 2factor auth is now here, +1 for Yubikey support!

  45. @Nathan – You can use Yubikeys to answer TOTP challenges by programming it to challenge-response mode and using an aplication to provide current time to them. There’s official one for Windows, and the article has community ones for Linux.
    The article says gmail in title, but it all sounds TOTP-generic.

    http://www.yubico.com/applications/internet-services/gmail/

    Now, I agree it’s a larger pain than the one-tap auth you’d get with Yubicloud or non-time-based HOTP… however the former would require hooking to Yubico API, and latter is less secure.

  46. Hey, thanks for implementing this!

    Just wondering how two-factor auth works on the Linode iPhone app? Is this on the roadmap?

    Thanks again!

  47. Probably tricky to log into Linode on your phone’s browser.

  48. I’m with Kevin on this one:

    “You might also consider sending the TOTP token via SMS for non-smartphone users, or users that don’t have such an app installed on their device.”

  49. Caker – If you are considering sending the Token via SMS and are looking for another option to Twilio checkout our API at Nexmo.com (I work there)

    We focus on developing relationships directly with mobile operators in many countries including the US, as opposed to simply using other SMS suppliers. This improves quality and support.

    Our pricing for the US is definitely one of the most competitive!

  50. Been waiting for this for some time! Glad to see it’s arrived 🙂 Very happy with all your developments guys!

  51. Will be perfect to add a trusted computer feature as others do. So you don’t have to enter verification code on your personal computer every time.

  52. Very happy to see this implemented. Looking forward to being able to restrict API access, too.

  53. Thanks for doing this folks. This is what I like about linode: a community that’s clever enough to make good recommendations, and a company that’s responsive enough to implement them when they make sense.

    We are a tough crowd, but I for one appreciate your hard work.

  54. Thanks to have made this an option!
    I don’t want be slave of my phone! 🙂

  55. >Not cool that it requires a smartphone app. Need a way to generate the OTP on a Linux system.

    http://www.nongnu.org/oath-toolkit/

    This includes a utility called oathtool, which can produce both HOTP and TOTP codes. The Gentoo sunrise overlay has an ebuild for it.

  56. I ran into problem with Google Authenticator. Every code I input got rejected. And now I cannot login to my Linode account.

    I think NameCheap two way authenticator via SMS is far better and stable.

  57. For those who enter that 6-digit token code, but it says it’s invalid.

    Double-check that the time on your 2FA device is accurate to within 30 seconds of the actual time within your timezone which can be viewed at
    http://www.nrc-cnrc.gc.ca/eng/services/time/web_clock.html
    or
    http://www.time.gov

    If above is not working. Using your 2FA device:
    1. Manually deactivate the ~”Set the time and timezone automatically from the network”. The clock on your wireless network, router, or computer might be miss-configured.

    2. Manually set your 2FA device time and timezone based on within 30 seconds of:
    http://www.nrc-cnrc.gc.ca/eng/services/time/web_clock.html
    http://www.time.gov/

Leave a Reply