DO Ideas 2

Allow multifactor authentication without SMS

Would be nice to have an alternative to SMS for the multifactor backup key - a printed list of backup codes, for example.

  • Jeff
  • Sep 11 2018
  • Shipped
  • Sep 11, 2018

    Admin Response

    We've made this change and announced it as part of an update to 2FA today. Changes include the ability to have downloadable codes as a backup method instead of SMS. You can check out the changes in the Security section of Settings or read more about it here: https://www.digitalocean.com/company/blog/updates-to-digitalocean-two-factor-authentication/ Thank you for the feedback!
  • Attach files
  • jomo commented
    September 11, 2018 18:22

    Security: As many others have pointed out, SMS is a very vulnerable technology (it's totally hackable if you put some effort into it). 2FA is supposed to be (2 of) knowledge, possession, and inherence. SMS is none of that.

    Privacy: It also requires users to submit their phone number to DigitalOcean, which some people (such as me) might not be comfortable with. I don't share my phone number with "the internet".

    Also, please note that NIST is deprecating SMS 2FA: https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/

  • ju commented
    September 11, 2018 18:22

    Currently, we can use google authenticator so without SMS but there is no backup code.
    Note also, there are multiple other suggestions which can be grouped with this one (Enable a recovery option for two-factor authentication, 2 step authentication SMS backup...)

  • Ryan O'Horo commented
    September 11, 2018 18:22

    I don't feel comfortable protecting my assets with an SMS based authentication mechanism. SMS is a cleartext channel which is vulnerable to snooping directly through telecom providers, wireless attacks, as well as social engineering attacks against the mobile provider who controls the number.

    Here's a great article in support of this position:

    http://fortune.com/2016/06/27/two-factor-authentication-sms-text/

    I would much prefer to be able to print out backup codes so they can be stored securely. I would even accept the risk of not being able to recover my account by not providing a phone number.

  • Игорь Тарасов commented
    September 11, 2018 18:22

    Just recently this happened: https://www.bellingcat.com/news/2016/04/30/russia-telegram-hack/

    In short, Russian authorities have easy access to SMS messages, so that they could temporary intercept all messages. And this is being used not against terrorists, but against political activists.

    And SMS could no longer be considered secure (at least in some countries). But since you have option to disable 2 factor authentication with SMS message, all this renders 2 factor authentication useless against this kind of attacks. So, replacing SMS with backup codes might be a solution.

  • Tao Bojlen commented
    September 11, 2018 18:22

    Backup keys would be very helpful! If I ever change my number, I have to remember to update my number on DigitalOcean too, and this could be avoided.

  • ottodv commented
    September 11, 2018 18:22

    It would be nice to be able to set up 2FA without the need to set up a failover mobile phone. In my case I am not receiving the SMSs on my phone for some reason, and as a result can not set up 2FA at all. But why? It's much safer to have 2FA without failover phone than no 2FA at all.

    ps. I've contacted support about the problem of not receiving SMSs and they can not resolve it at the moment.

  • Hugo Osvaldo Barrera commented
    September 11, 2018 18:22

    It would also be nice to benefit from the security of 2FA, without incurring on the costs and burden of maintaining a mobile phone line (if you lose your phone, you've permanently lost access to your fallback!).

    Printed codes are not necesary, recomending that the user backs up the shared secret should be enough.

  • Ivan Manida commented
    September 11, 2018 18:22

    Just show the code when creating google auth link, and ask users to print it out / save it.

    You should have an option to not use SMS recovery for people who find it very insecure / travel a lot and have many SIM cards / don't use mobile phones.

  • Nate commented
    September 11, 2018 18:22

    Adding the option to use something like Google Authenticator could also be helpful as an alternative to SMS authentication.

  • Hugo Osvaldo Barrera commented
    September 11, 2018 18:22

    This is extremely important. Those of us without any sms-capable lines (or devices) have no access to 2fa.

    Those who *do* have mobile phones, probably use mobile-phone based generators, meaning that the primary device and the fallback are the same - losing one means losing the other.

    Backing up the shared key and a list of emergency tokens should be enough for anybody.

    > When we originally put together TFA we wanted to ensure security and identity of the person enabling it on the account which is why we went with TFA and SMS.

    Arent the credit card details you have enough to ensure the identity of the person?
    It's not like an SMS line is tracable to a physical person: they can be bought anonymously on trains or kiosks, etc.

  • Victor Gama commented
    September 11, 2018 18:22

    When enabling TFA, a printable list of spare codes should be offered.

  • MichaelM commented
    September 11, 2018 18:22

    Commenting here since my suggestion was merged to this one...

    This is an important issue. The problem is that most people will have the Authenticator app running on their phone. If the phone dies, is lost, or whatever, then neither the OTP or an SMS is going to help.

    DropBox, GitHub, etc. all allow you an emergency code to store in a safe place and use in case of an emergency. It would be great if DO could do the same, or offer some other emergency workflow where two factor authentication can be completed without a mobile phone.

  • Brandon commented
    September 11, 2018 18:22

    I agree. Why has this been ignored by DO? Whilst it's important that people be careful with their devices, there are often situations in which devices are lost or stolen and it's out of the control of the person. Most, if not all, of the big sites out there that support 2-factor authentication provide a backup way of getting into the account if the authenticator device is lost or stolen.

  • Curdin commented
    September 11, 2018 18:22

    Agreed, that would be great - or alternatively the ability to add a landline as a backup number - pass the code as a voice message.

  • Bruce Aldridge commented
    September 11, 2018 18:22

    especially as most people recieve both texts and use the google authenticator app on the same device

  • Iuri de Silvio commented
    September 11, 2018 18:22

    It is important for me. Without a physical code, it is really scary to enable the two-factor auth.

  • Moisey Uretsky commented
    September 11, 2018 18:22

    When we originally put together TFA we wanted to ensure security and identity of the person enabling it on the account which is why we went with TFA and SMS.

    But if we get enough up votes we'll look into it.

    Thanks