Skip to main content
BlogLinodeLinode Manager Two-Step Authentication

Linode Manager Two-Step Authentication

auth-code2

We’re pleased to announce two-step verification as an optional extra layer of protection for your Linode account. Once enabled, logging in will require a six-digit security token in addition to your username and password.

auth-code2

You can enable this new feature by clicking on My Profile from within the Linode Manager, and then “Enable Two-Factor Authentication”.  You’ll be shown your shared secret passphrase and its QR code, which you can scan into your two-factor app. Install one of these apps, scan the QR code shown in the Linode Manager, and then use the app to generate a secure token every time you log in.

Any app that supports the Time-based One-Time Password (TOTP) algorithm can be used to generate the security token for you.

Two-step verification drastically improves the protection of your account by requiring not just something you know (your username and password), but also something you have (your mobile device).

For more information please read our two-factor authentication library article.

Enjoy!


Comments (57)

  1. Author Photo

    Sad it took what it did to finally make this a priority, but very nice 🙂

  2. Christopher Aker

    Very soon we will be adding code verification to the enable two-factor workflow, as well as some sort of recovery procedure (one use code, etc).

  3. Author Photo

    Hi

    This is great. One suggested improved after reading the library article. It would be good if the process had a confirmation where you had to type 2FA code in actually activate it. Pretty sure when setting up my GMail it wasn’t actually activated until I type a 2FA code in. This just makes sure the user is all set up before activation/locking them out and will save support time.

    Other options are disabling 2FA and reseeding the 2FA which would be nice to see.

  4. Author Photo

    That didn’t seem to work – I have a sixteen character verification code, but when prompted during login, my code get truncated to six characters! Why is that?

  5. Christopher Aker

    Dave: yup – we totally need to confirm the code. It’s coming very soon… Also, you can enable, regen, or disable 2FA from My Profile.

    Dan – feed that code or scan the QR code into the two-factor app on your mobile phone – like Google Authenticator. Then the app will generate a six-digit code that changes – use THAT code when logging in.

  6. Author Photo

    About time!

  7. Christopher Aker

    Ashfire908 – enjoy!

  8. Author Photo

    Clicked enable two-factor authentication.

    Whoops!
    Something went wrong 🙁

    Not a good start =/

  9. Author Photo

    Just as an fyi…it is no problem to run the same Google Authenticator app configuration on multiple devices.

    Can even run it ok on a cheap Iphone Touch as a backup.
    If like the Itouch it doesnt have camera to capture the QR code, can manually type in the code to get the same result.

    Its handy to have an authentication backup device as I now use 2FA on about 5 accounts so would otherwise be a big hassle if my phone was stolen.

  10. Author Photo

    Are you going to enable this for Lish as well?

  11. Author Photo

    I got the ‘whoops’ message too. I clicked it again and it worked.

  12. Christopher Aker

    Ryan – argh, a bit of a session race there. We just pushed out a potential fix. If you have any issues please contact support. Sorry about that.

    Matthew – Yup. The Lish gateways will have two-factor in our next release.

  13. Author Photo
  14. Author Photo

    Great to hear! Thanks for enabling this. I now feel more at ease with the security of my Linode.

  15. Author Photo

    🙂 Good news

    Authy has a great app that supports the Time-based One-Time Password (TOTP), The also has “backups” so you never will have to re-enter your accounts …

    https://blog.authy.com/authenticator

  16. Author Photo

    (FYI – I work for Twilio, a platform that enables SMS delivery)

    You might also consider sending the TOTP token via SMS for non-smartphone users, or users that don’t have such an app installed on their device.

    My home boy Joel did a blog post on how to do this in Python:

    http://www.twilio.com/blog/2013/04/add-two-factor-authentication-to-your-website-with-google-authenticator-and-twilio-sms.html

  17. Author Photo

    “Very soon we will be adding code verification to the enable two-factor workflow, as well as some sort of recovery procedure (one use code, etc).”

    Perfect! Will you make an announcement here once you have a recovery/auxiliary procedure in place?

    Cheers!

  18. Author Photo

    indeed this is a nice feature that improves the security in the user side ie: users using the same password in multiple sites, but if linode it’s hacked (like last time) both the password and the 2FA secret are exposed anyway.

    the real question is what are you doing to prevent incidents like the last one.

    also,I never got any answer regarding why you are storing CC # if you are not PCI complaint

  19. Christopher Aker

    Kevin – we’ve been discussing that, actually – thanks.

    gabriel – This is just part of a much, much larger effort that has completely consumed all efforts here at Linode for the past many weeks, and will continue to do so until the entire plan has been completed. We have literally been working around the clock on improving everything from policies and procedures to major architectural changes. Also, fwiw, we are PCI compliant – but regardless on the roadmap is eliminating us storing payment information all together. Thanks for the comments.

  20. Author Photo

    Is there a way to use this without a smartphone?

  21. Author Photo

    Not cool that it requires a smartphone app. Need a way to generate the OTP on a Linux system.

  22. Christopher Aker

    There are scripts that implement the TOTP algo.

  23. Author Photo

    This is a tough crowd!

    I for one am happily stunned by the pace of the recent improvements, and want to thank the folks at linode for their hard work so far.

    I’m a recent refugee from a different hosting company, and I am not used to this pace 🙂

  24. Author Photo

    @caker – If it’s such a large effort why isn’t it being talked about? When are you going to tell us in `detail` what you’re doing to ensure things are better in the future?

    I really like the services that I’ve gotten from linode. The prices are decent for the performance. The support is excellent most of the time, but the lack of transparency (about security, and outages in general) is such a `huge` stain on your reputation. It’s essentially impossible to over look.

    good conversation about this going on over on HN btw, you guys might want to give it a look. https://news.ycombinator.com/item?id=5647384

  25. Author Photo

    Thanks for implementing this! I have two suggestions/requests after turning the feature on and testing it a bit:

    It would be nice to not fully enable 2FA until you receive and validate a one-time code. This makes sure that someone didn’t accidentally navigate away from the page, mistype the seed value for non-camera situations, etc. IIRC most other TOTP implementations e.g. Google, Battle.net, Dropbox do this. I appreciate the implicit vote of confidence that your users won’t mess things up, but a verification step would be nice.

    It would also be nice to only require 2FA once a week/month, once per new browser/IP combo, or some other way to decrease the number of times a one-time code is necessary. Again, a lot of other TOTP implementations do this to balance usability with security.

    I’m not suggesting these features just because others do it; they actually seem like reasonable steps to make the feature more user-friendly. At least they might merit future implementation. Thanks!

  26. Author Photo

    Great stuff! I’d love the option to print some OTP codes to, if possible.

  27. Author Photo

    It is just me or anyone has this problem?

    I’ve successfully enabled and setup 2FA but everytime I entered the 6-digit code, it says invalid code.

  28. Author Photo

    This was an essential addition. Great work, and thanks Linode for the effort!

  29. Author Photo

    @JBH @jyri – TOTP is an open standard, so I imagine you will be able to find token generators for almost any platform, mobile and desktop. I haven’t tried this, but e.g. here’s a Java implementation:

    http://ecki.github.io/et-otp/

  30. Author Photo

    Just curious, what are you using on the server side for TOTP support?

  31. Author Photo

    @Matthew – If you’re using a smartphone app make sure the time on your phone is accurate.

  32. Author Photo

    Trust in you guys is fully restored! Thanks.

  33. Author Photo

    @Matthew @Scott: Also make sure there aren’t typos when you entered the 16-char seed (example of the benefits of verifying a code before turning on 2FA).

  34. Author Photo

    Would be wonderful if we could have one-use codes via text (a la Google and Dropbox). This leaves me out in the cold since I don’t have a smartphone!

  35. Christopher Aker

    OK – the system now requires confirmation by requiring a valid token before it will enable two-step on the account.

  36. Author Photo

    @Sean: They are talking about it. Literally in this blog post. Talking about how they’re improving the security of the architecture before they are done would mean that potential attackers would know exactly what are the most vulnerable points that Linode has identified as an attack vector. You might as well give them root keys just in case they mess up.

  37. Author Photo

    The BlackBerry app listed near the top is for the older BBOS devices, not for BB10. There is a third-party app called Authomator to fill that gap. I’ve been using it for a while for my 2-factor needs.

  38. Author Photo

    Caker: Now we just need the ability to restrict what can be done through API, from where (IP addresses), and turn it off altogether. Although the API is awesome it is also sort of a huge hole if someone gets the info needed for it.

  39. Christopher Aker

    Jeremy – that is also in the pipeline. Stay tuned.

  40. Author Photo

    A maintenance window has been scheduled for the Linode Manager and API on Sunday, May 5th between 11:00pm and 11:55pm EDT (UTC-4). Linodes will not be affected by this maintenance, but the Linode Manager and API will be briefly unavailable.

    Just saw that in the status …. I wonder if that’s when you’re implementing more security on it.

  41. Author Photo
  42. Author Photo

    Any possibility of adding Yubikey support?

  43. Author Photo

    Would you consider adding backup codes like Google accounts have?

  44. Author Photo

    Great news that 2factor auth is now here, +1 for Yubikey support!

  45. Author Photo

    @Nathan – You can use Yubikeys to answer TOTP challenges by programming it to challenge-response mode and using an aplication to provide current time to them. There’s official one for Windows, and the article has community ones for Linux.
    The article says gmail in title, but it all sounds TOTP-generic.

    http://www.yubico.com/applications/internet-services/gmail/

    Now, I agree it’s a larger pain than the one-tap auth you’d get with Yubicloud or non-time-based HOTP… however the former would require hooking to Yubico API, and latter is less secure.

  46. Author Photo

    Hey, thanks for implementing this!

    Just wondering how two-factor auth works on the Linode iPhone app? Is this on the roadmap?

    Thanks again!

  47. Author Photo

    Probably tricky to log into Linode on your phone’s browser.

  48. Author Photo

    I’m with Kevin on this one:

    “You might also consider sending the TOTP token via SMS for non-smartphone users, or users that don’t have such an app installed on their device.”

  49. Author Photo

    Caker – If you are considering sending the Token via SMS and are looking for another option to Twilio checkout our API at Nexmo.com (I work there)

    We focus on developing relationships directly with mobile operators in many countries including the US, as opposed to simply using other SMS suppliers. This improves quality and support.

    Our pricing for the US is definitely one of the most competitive!

  50. Author Photo

    Been waiting for this for some time! Glad to see it’s arrived 🙂 Very happy with all your developments guys!

  51. Author Photo

    Will be perfect to add a trusted computer feature as others do. So you don’t have to enter verification code on your personal computer every time.

  52. Author Photo

    Very happy to see this implemented. Looking forward to being able to restrict API access, too.

  53. Author Photo

    Thanks for doing this folks. This is what I like about linode: a community that’s clever enough to make good recommendations, and a company that’s responsive enough to implement them when they make sense.

    We are a tough crowd, but I for one appreciate your hard work.

  54. Author Photo

    Thanks to have made this an option!
    I don’t want be slave of my phone! 🙂

  55. Author Photo

    >Not cool that it requires a smartphone app. Need a way to generate the OTP on a Linux system.

    http://www.nongnu.org/oath-toolkit/

    This includes a utility called oathtool, which can produce both HOTP and TOTP codes. The Gentoo sunrise overlay has an ebuild for it.

  56. Author Photo

    I ran into problem with Google Authenticator. Every code I input got rejected. And now I cannot login to my Linode account.

    I think NameCheap two way authenticator via SMS is far better and stable.

  57. Author Photo

    For those who enter that 6-digit token code, but it says it’s invalid.

    Double-check that the time on your 2FA device is accurate to within 30 seconds of the actual time within your timezone which can be viewed at
    http://www.nrc-cnrc.gc.ca/eng/services/time/web_clock.html
    or
    http://www.time.gov

    If above is not working. Using your 2FA device:
    1. Manually deactivate the ~”Set the time and timezone automatically from the network”. The clock on your wireless network, router, or computer might be miss-configured.

    2. Manually set your 2FA device time and timezone based on within 30 seconds of:
    http://www.nrc-cnrc.gc.ca/eng/services/time/web_clock.html
    http://www.time.gov/

Leave a Reply

Your email address will not be published. Required fields are marked *