icculus.org
[svn] - [hg] - [git] - [bugzilla] - [ssl] - [mail]

News archive: (submit news)

• Two-factor auth (posted 2014-09-17 11:30:24 by icculus):
  

  Icculus.org now supports two-factor authentication via Google Authenticator. Both ssh logins and webmail can be protected by this extra layer of security.

  The system is opt-in. By default, nothing changes for you, but we encourage you to enable two-factor auth wherever you are able. To set it up:

  1. Install Google Authenticator on your trusted device (namely: your smart phone). You can get it for lots of platforms (and the source code if you get desperate). The Wikipedia page has links to all that and more technical details, too.
  2. ssh to your icculus.org account, and run "google-authenticator". It will ask you something about time-based authentication tokens. Say "y" here. It will spit out a big ASCII QR code on your terminal. Scan this on your phone with the Google Authenticator app. There are a few more questions from google-authenticator, answer them however you feel is reasonable.
  3. That's all.

  Now when you ssh to your icculus.org shell account, you will be prompted for your password _and_ the current code from your Google Authenticator app, which changes every 30 seconds. Please note that if you have a valid private key configured, you will not be prompted for either a password or two-factor code, so that route will continue to work as expected, for automated logins, etc.

  Webmail can also be protected:

  1. Login to your account.
  2. Click the settings button in the top right, where you'll see a "2steps Google verification"
  3. Click the "Activate" checkbox.
  4. Either fill in your secret key from the ssh account, or make a new one and get your QR code.
  5. Optionally fill in recovery keys (or use the same ones from your shell account).
  6. Click "save"
  7. Fill in your current code from your phone and click "Check code" to make sure it's working.
  8. That's all.

  Next time you log into webmail with a valid password, you'll also be prompted for the current code from your smart phone before you can log in. Please note that IMAP and SMTP are not protected by 2-factor auth at this time, nor do we offer "app-specific passwords" at the moment.

  Also, a gentle reminder: two-factor auth is powerful stuff, but you should also use strong, unique passwords everywhere. Using a password manager like 1Password or KeePass or LastPass (etc!) is important in modern times.

  
  --icculus.

[ email newsmaster | get news rdf ]