I've been using two-factor auth for access to Linode Manager. And it's great! Thank you for implementing it.

However, I downloaded the Linode Manager iPhone app today (also great), and I discovered I was able to log in with just my username and password. It never prompted me for a Google Authenticator code. This makes 2-factor authentication pointless, since if somebody got hold of my password, they could just use the mobile app to log in as me.

I think the following two items are critical:

• If a user has enabled 2-factor authentication, he should not be able to log in without providing a token.
• The mobile app should support 2-factor authentication.

_________________
Dan Slimmon
Senior Platform Engineer
Exosite
Minneapolis, MN

Correct me if I'm wrong, but this is a limitation of the API and it should be fixed at the same time they fix the API.

I think caker knows and talked about it in chat, but this has been a while ago and I don't want to put words in his mouth.

I have absolutely no knowledge about this situation, but I do know that it can take weeks (or longer) for apps or app updates to make it through the Apple approval process. Perhaps it is "in the pipeline"?

Main Street James: Maybe, but iPhone support for 2-factor is really secondary here. As long as it's possible to authenticate to the server with just your username and password even when you have 2-factor enabled, 2-factor doesn't provide any security.

_________________
Dan Slimmon
Senior Platform Engineer
Exosite
Minneapolis, MN

danslimmon,
I'm not disagreeing with you. I was only commenting on a possible reason the iPhone app hasn't been updated yet.

The fact that a two-factor authentication enabled account can connect under *any* circumstances with only username/password is an indication that it isn't implemented correctly.


MSJ

I agree the app needs to be locked down. The bigger issue though is the API which does not require two-factor. Right now you can not disable your API or limit it in any way. End result is the current two-factor auth feature for the manager provides no security, at this moment, at all.

However, caker confirmed to me on the blog a few weeks ago that the ability to restrict API, which would restrict the app as well, is in the works. In the meantime though you should not count on the two-factor protecting you against anything.

This is incorrect. You can disable your API now. There's a button where you can generate a new API key as well.

Then caker must have already implemented it. Good to know. If that's the case then disabling that should make the iPhone app not work. I believe it uses the API.

Update: I just disabled my API and tried the app. Still worked fine. So it must not require the API.