What is 2-factor authentication (2FA)?
Two factor authentication (2FA) increases your account security further than just using a username and password. In addition to a password (the first factor), you need another factor to access your account. A great example to demonstrate this is when you withdraw money from an ATM. To access your bank account you need both your physical bank card and to know your PIN number. These are the two factors you need to withdraw money = 2 factor authentication!
Common ways to provide this extra level of security are a specific application on your phone or computer, a physical security key/USB (Yubikey, for example), or a smart card. By using more than one of these factors, you can greatly increase the security of your account or system.
2-factor authentication and Ubuntu One SSO
Ubuntu One Single Sign-On (SSO) has supported 2FA since 2014. The ubiquitous OATH (Initiative for Open Authentication) protocol is supported, using open standards to promote stronger security and authentication. Using open standards means that a wide range of devices and applications can be used as a second factor. This includes phone and desktop applications like 1Password, Authy, Authenticator and countless more. This also includes hardware devices from Yubikey, Feitian and others, and even some terminal applications such as oathtool. Thanks to OATH’s simplicity, even a list of numeric codes can be used as a valid device. These codes could, for example, be printed on a sheet of paper and stored securely for use in an emergency or as a backup device
The basics of the workflow, mechanics and code in Ubuntu One SSO are solid, proven, and used by hundreds of people every day. Despite the above, 2FA in Ubuntu One SSO has remained in closed beta for more than 7 years. The one thing that was lacking was a comprehensive code recovery experience to prevent lockouts
Why code recovery?
A downside of 2-factor authentication is that, should the code-generating device(s) be lost, misplaced, broken or misconfigured, the user will be unable to enter a 2-factor code and thus will be denied access to their account.
As 2FA entered beta testing, it was primarily used by Canonical employees. In this situation, the company has verified mechanisms for identity validation and device reset. However, as the pool of testers expanded to include security-minded, community members and external users, we realized it wasn’t as easy to provide an analogous recovery mechanism. Since we don’t have any verifiable information identifying the user or linking them to their account, there was no way to establish ownership of that account. Despite an email address being a reasonable method of linking a user to their account, 2FA operates under the assumption that an email address could be compromised. As a result, in practice, users who get locked out of 2FA effectively lose their accounts.
What are we doing about this?
After many years in beta, we have created a comprehensive code recovery experience. Following this, we are happy to announce that we will be implementing 2FA for all Ubuntu One accounts. This change is coming in the next few weeks, so keep your eyes peeled for instructions on how to enable 2FA for your account. With a reliable backup mode of authentication, lockouts should be a thing of the past.
In the meantime, if you want to read more about secure IoT and Desktop solutions, check out the links below!
- Secure IoT device management
- Optimised authentication methods for Ubuntu Desktop
- Securing IoT device data against physical access