DO Ideas 2

Two-factor authentication

Please allow us to enable two-factor authentication with an hardware or a software token.

  • Simone
  • Sep 11 2018
  • Shipped
  • Attach files
  • Moisey Uretsky commented
    September 11, 2018 19:57

    Two factor auth has been launched:

    https://www.digitalocean.com/blog_posts/introducing-two-factor-authentication

    And is available on your settings tab to setup:
    https://www.digitalocean.com/settings

    Thanks!

  • Sharath Win commented
    September 11, 2018 19:57

    This working like Charm
    I have used it today. Thanks

  • Chris Van Patten commented
    September 11, 2018 19:57

    Fantastic, great to hear!

  • Moisey Uretsky commented
    September 11, 2018 19:57

    We've built out two-factor Auth into the new CP which is currently in development and it when deployed it will be using Google Authenticator.

    We've also added a phone-number SMS as a way to unlock the account should you lose access to your Google Auth App.

    So this will be available as soon as the new CP is launched.

    Thanks!

  • Jason Meinzer commented
    September 11, 2018 19:57

    +1 for Google Authenticator; here is some example Ruby code: https://github.com/bithive/example-totp-vault

  • Christian Herald commented
    September 11, 2018 19:57

    You might consider Nexmo.com for sending SMS.

  • Rob Kerry commented
    September 11, 2018 19:57

    I use Google Authenticator for both SSH (http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html) and user logins (https://github.com/PHPGangsta/GoogleAuthenticator). It's free and widely supported (Amazon uses it also)

    This is on our requirements list for a new VPS provider, so seeing this go live would be great.

  • Rory O commented
    September 11, 2018 19:57

    CloudFlare uses a service called Authy for two-factor authentication via software tokens. It's pretty good.

  • Moisey Uretsky commented
    September 11, 2018 19:57

    Looking into the Google Authenticator and possibly using the phone SMS as a backup or a way to unlock the account.

  • Alexei Robyn commented
    September 11, 2018 19:57

    Any chance you might also consider implementing a mobile app HOTP (e.g. Barada, Google Authenticator) or TOTP (e.g. Google Authenticator, Dropbox, etc.) generator?

    SMS is nice and all, but most telecoms are fairly lax vis-a-vis authentication, so it's pretty easy for an attacker to get access to someone's account and have their SMS forwarded to you. Though, of course, this does usually require you to be targeted as most approaches are via social engineering rather than website security holes.

  • ZIGGAP LLC commented
    September 11, 2018 19:57

    Thank you very much for the quick response!

  • Moisey Uretsky commented
    September 11, 2018 19:57

    Roland: Will not affect API calls

  • Moisey Uretsky commented
    September 11, 2018 19:57

    We've started laying out some ground work, hopefully 1-2 weeks.

  • ZIGGAP LLC commented
    September 11, 2018 19:57

    Any update on this? I would *very* much like this feature to be implemented ASAP.

  • Roland Moriz commented
    September 11, 2018 19:57

    I recommend to use TOTP as Google Authenticator or Amazon AWS does, see RFC 6238

    API calls should still be working without 2FA.

  • Troy commented
    September 11, 2018 19:57

    I wouldn't expect you to send Yubikeys out to the masses, but I'd love to be able to use mine since I have it.

    SMS is fine if you're a smartphone user with international roaming, good wireless coverage, a battery that never dies and unlimited texting. For the rest of us, a tiny bit of hardware works better. :)

  • dusty doris commented
    September 11, 2018 19:57

    This is great. I really like Authy if you are still looking for a 3rd party

  • Moisey Uretsky commented
    September 11, 2018 19:57

    Yubikey is awesome but I don't think we will be sending those out to customers ;)

    Most likely 2 factor auth will be SMS based.

  • Troy commented
    September 11, 2018 19:57

    I'd love to see support for this. Personally, I prefer to use my YubiKey, but any additional factor is welcome.

  • Nick commented
    September 11, 2018 19:57

    Yes! Please do add two-factor auth to user control panels using Google Authenticator.

    The only thing stopping me moving more sites to Digital Ocean is the fact that, no matter how well I secure each droplet, there's still a backdoor to all of them protected only by a password or convincing support request.

    This is much more important to me than DNS Management (which most users will already have from third-parties, such as their domain provider or Cloudflare) and system resource tools (which I'm happy to access via SSH).

  • Moisey Uretsky commented
    September 11, 2018 19:57

    This is definitely something we've discussed and we will most likely be adding in the future.

    We've done quite a few things with Twilio integrations in the past and we'll most likely do something similar in the future.

    We are focused on some other core features at the moment first such as DNS Management, Analytics and Trending of system resources, and Alerting, but we'll definitely be adding this at some point in the future.

    Thanks,
    Moisey

  • Richie commented
    September 11, 2018 19:57

    Yea, why not add the ability to just telesign in with your phone?