As of today, we have made it possible to secure access to the CloudVPS Interface and the Skyline interface for our OpenStack services using Two Factor Authentication (TFA).
Security experts explain TFA as: "There are 3 independent authentication factors: What you know (password), what you have (hardware token, mobile phone) and who you are (fingerprint). Two Factor Authentication means the system is using two of these factors for authentication.
Especially after the heartbleed bug in OpenSSL, TFA is increasingly demanded by serious internet users: "If an single authentication factor is being compromised, a second factor should be necessary for gain access to a system. Using a password often is not good enough.". In our imlementation we use a password and a one time code that can be generated on a smart phone.
Especially after the heartbleed bug in OpenSSL, TFA is demanded more and more by serious internet users: "If an single authentication factor is being compromised, a second factor should be necessary for gain access to a system, nowadays, a password alone is not good enough.".
One Time Password
The industry standard for Two Factor Authentication is using a time limited component from the possession factor next to the knowledge factor for authentication. The same mechanism is used in online banking where a bank card with PIN and a hardware identifier is used to generate a time limited 6 digit number: a One Time Password (OTP).
Our implementation of the One Time Password is based on the open standards developed by the Initiative for Open Authentication (OATH). From these standards we use the HMAC based Time-based-One-Time-Password (TOTP) as specified in RFC 6238.
How to enable and use TFA
When enabling Two Factor Authentication for a user, a shared secret is generated that, in combination with the current time, will be the seed for a One Time Password (OTP) Token. In order to obtain an OTP-Token there is a diversity of Authenticator Applications that generate a 30 second valid OTP-Token. The most commonly used method is to install an Authenticator App on your mobile phone and use that application for generating OTP-Tokens for your accounts. The Google Authenticator for Android, iOS and Blackberry and the Microsoft Authenticator for Windows Phone are most commonly used.
To add an account to an Authenticator App you can input the OTP-Secret along with the username and the issuer (the site, company or application) or, if the phone has a camera and the App supports this feature, the information can be scanned from a QR-Code with an otpauth:// protocol link. Such a QR-Code has all the information necessary to create an entry in an Authenticator App.
An OTP-Token is a 6 digit number that is valid for 30 seconds. The token has to be typed directly after your password, in essence your password is extended with the 6 digit Token.
Read our knowledge-base for a step by step walkthrought to enable TFA on our systems.