Please allow us to enable two-factor authentication with an hardware or a software token.
Two factor auth has been launched:
And is available on your settings tab to setup:
This working like Charm
I have used it today. Thanks
Fantastic, great to hear!
We've built out two-factor Auth into the new CP which is currently in development and it when deployed it will be using Google Authenticator.
We've also added a phone-number SMS as a way to unlock the account should you lose access to your Google Auth App.
So this will be available as soon as the new CP is launched.
+1 for Google Authenticator; here is some example Ruby code: https://github.com/bithive/example-totp-vault
You might consider Nexmo.com for sending SMS.
I use Google Authenticator for both SSH (http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html) and user logins (https://github.com/PHPGangsta/GoogleAuthenticator). It's free and widely supported (Amazon uses it also)
This is on our requirements list for a new VPS provider, so seeing this go live would be great.
CloudFlare uses a service called Authy for two-factor authentication via software tokens. It's pretty good.
Looking into the Google Authenticator and possibly using the phone SMS as a backup or a way to unlock the account.
Any chance you might also consider implementing a mobile app HOTP (e.g. Barada, Google Authenticator) or TOTP (e.g. Google Authenticator, Dropbox, etc.) generator?
SMS is nice and all, but most telecoms are fairly lax vis-a-vis authentication, so it's pretty easy for an attacker to get access to someone's account and have their SMS forwarded to you. Though, of course, this does usually require you to be targeted as most approaches are via social engineering rather than website security holes.
Thank you very much for the quick response!
Roland: Will not affect API calls
We've started laying out some ground work, hopefully 1-2 weeks.
Any update on this? I would *very* much like this feature to be implemented ASAP.
I recommend to use TOTP as Google Authenticator or Amazon AWS does, see RFC 6238
API calls should still be working without 2FA.
I wouldn't expect you to send Yubikeys out to the masses, but I'd love to be able to use mine since I have it.
SMS is fine if you're a smartphone user with international roaming, good wireless coverage, a battery that never dies and unlimited texting. For the rest of us, a tiny bit of hardware works better. :)
This is great. I really like Authy if you are still looking for a 3rd party
Yubikey is awesome but I don't think we will be sending those out to customers ;)
Most likely 2 factor auth will be SMS based.
I'd love to see support for this. Personally, I prefer to use my YubiKey, but any additional factor is welcome.
Yes! Please do add two-factor auth to user control panels using Google Authenticator.
The only thing stopping me moving more sites to Digital Ocean is the fact that, no matter how well I secure each droplet, there's still a backdoor to all of them protected only by a password or convincing support request.
This is much more important to me than DNS Management (which most users will already have from third-parties, such as their domain provider or Cloudflare) and system resource tools (which I'm happy to access via SSH).
This is definitely something we've discussed and we will most likely be adding in the future.
We've done quite a few things with Twilio integrations in the past and we'll most likely do something similar in the future.
We are focused on some other core features at the moment first such as DNS Management, Analytics and Trending of system resources, and Alerting, but we'll definitely be adding this at some point in the future.
Yea, why not add the ability to just telesign in with your phone?
You won't be notified about changes to this idea.