Erhm... I'm not a math major

As far as I'm concerned, people are only as secure as they are willing to be. Most everybody wants to be secure, but most that want security are willingly ignorant of how to be secure. I'm not going to use some obvious question that everybody can look up on the Internet, I have some pretty deep secrets that I'm confident only a mind reader could guess, and I don't believe in telepathy so in my case, the questions would certainly work.

There's only so much that can be done through a web page. I have yet to find a site that uses an RSA key through HTTP or HTTPS. The closest I've seen is a ssh web client written in Java, and not everybody will want Java. The best bet there would be to use an open source version such as icedtea, but not every user will run icedtea for their java stuff, so there may or may not be issue with that. But if RSA is possible through HTTP without extra software, I'm all for that approach.

_________________
Kris the Piki Geeker

I believe you are misunderstanding what is meant by an "RSA key". RSA is a security company AND a cryptography algorithm. The SSH daemon you are thinking of is capable of using public key cryptography using the RSA algorithm.

RSA tokens are devices (SecurID) that are created by RSA Security (a subsidy of EMC Corp) that display a "random" number on a small LCD screen. The number is not truly random though. Using an algorithm the token displays seemingly random numbers and when entered into a login page the number is compared with what a back end server is expecting the number to be. If they match then you are granted access. If not, you aren't. The "random" numbers are rotated every 30 or 60 seconds in order to make it more difficult to guess the number.

RSA tokens are often used as part of two-factor authentication. The idea is that when logging into a secure system you will provide something you know (a PIN or password) and something you have (the token). Without both you will not access the system. This makes it more difficult to access an unauthorized system without some custom social engineering.

A Yubikey is a significantly cheaper alternative to RSA tokens. Created by Yubico, the Yubikey also generates a number that is generated using an algorithm. The Yubikey framework is opensource. Companies can use Yubico's online verification service or can setup their own back end system using PHP and MySQL. In my experience, Yubikey tokens are about 70% cheaper than their RSA counterparts and do not require per-user licenses.

Disclaimer: I have no relation to RSA or Yubikey other than being a customer of both. I currently use both solutions and prefer Yubikeys due to price, flexibility (open-source vs closed-source), and security of their keys (Yubikeys can have their private keys changed and RSA tokens can't).

Private/public keys can be used for more than just ssh (e.g. email).

The only problem I see here is how do we get the physical device?

EDIT: Just answered that for myself: the physical device can be replaced by email. The problem is getting two-factor authentication for my email so the second factor (e.g. the RSA key) doesn't get hacked

_________________
Kris the Piki Geeker

The Linode Manager, technically speaking, will do two-factor authentication for logins from unknown IP addresses, with the second factor being an emailed magic code. From there, Gmail's two-factor authentication ensures that you either need my cellphone, the contents of my fire safe, my wallet, an IMAP password, or remote access to one of my computers to get the mail.

But that's probably not what people are after

Yubikey would be nice, but I don't have easy access to the USB ports on my main computer, so I'd have to run an extension cable and all that. I tend to like the PRNSB(*) hardware tokens as well, but having more than a couple of them would suck.

I think something like Duo would probably be best... hardware if you want it, software if you don't, SMS or voice call if you can't.

(*) Pseudo-random number shitting bears; I sometimes have trouble thinking of the right noun when speaking, so this is what I came up with for the little keychain tokens. The analogy is obvious.

1. Android and/or iPhone app
2. Configured by user with a token - private key - which is also set on the Linode
3. Start the app, tap request for public key
4. Login to Linode, input public key you see on your Android / iPhone screen
5. ???
6. Profit

Not everybody will have a Gmail account to use their two-factor authentication, some people aren't even interested. If they do have Gmail, they might not have a cell phone. Of course, they could have Gmail call their home phone, but they might not be home.

That could present a challenge for Linode's two-factor authentication if they do it over the phone.

_________________
Kris the Piki Geeker

You know there's no lie detector on the questions, right?

"Who was your favorite high school teacher?"

"/i~ZY*S9bFo*NtRhE9"

"What is your mother's maiden name?"

"JeOY6>R]}|%Tz"

Maybe the computer has a lie detector built in and won't let the user use it without being hooked in

Having several different methods added would help, since not everybody will want or have access to certain methods.

_________________
Kris the Piki Geeker

I've just come across the YubiKey (I know, a few years late to the party) when looking for two-factor auth for Fastmail.fm.

It'd be great to see Linode support this for logging in to the manager.

I'd rather have google authenticator or verisign vip access I use them both already. (verisign can be on a device you buy or on your phone)

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

How about using a client side certificate(s)?

If you have to access the panel using a computer/web browser that doesn't have the certificate installed, then just make the user jump through some extra hoops, like the emailed pin code?

The more advanced users could combine this feature with a smart card to store the certificate(s) when moving between computers.

Hey Dug, I use Duo Security everyday to protect SSH logins on my linode. Thank you for making this happen.

I hope linode decides to support OATH and point people to the google authenticator app. A lot of people who care about 2-factor are going to have it already from using it with their google accounts.

I do not want another android app or hardware token just to log into linode.

No disrespect to duo, it's great for what it is, but it's a single point of failure. Google authenticator and other OATH implementations don't rely on anything except your device and an autonomous service that implements OATH, and the device doesn't even need to be connected to a network. It's truly out-of-band.

+1 for Yubikey support, that would be fairly nice.