Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Two-factor authentication coming to Ubuntu One

This article is more than 3 years old.


What is 2-factor authentication (2FA)?

Two factor authentication (2FA) increases your account security further than just using a username and password. In addition to a password (the first factor), you need another factor to access your account. A great example to demonstrate this is when you withdraw money from an ATM. To access your bank account you need both your physical bank card and to know your PIN number. These are the two factors you need to withdraw money = 2 factor authentication!

Common ways to provide this extra level of security are a specific application on your phone or computer, a physical security key/USB (Yubikey, for example), or a smart card. By using more than one of these factors, you can greatly increase the security of your account or system.

2-factor authentication and Ubuntu One SSO

Ubuntu One Single Sign-On (SSO) has supported 2FA since 2014. The ubiquitous OATH (Initiative for Open Authentication) protocol is supported, using open standards to promote stronger security and authentication. Using open standards means that a wide range of devices and applications can be used as a second factor. This includes phone and desktop applications like 1Password, Authy, Authenticator and countless more. This also includes hardware devices from Yubikey, Feitian and others, and even some terminal applications such as oathtool. Thanks to OATH’s simplicity, even a list of numeric codes can be used as a valid device. These codes could, for example, be printed on a sheet of paper and stored securely for use in an emergency or as a backup device

The basics of the workflow, mechanics and code in Ubuntu One SSO  are solid, proven, and used by hundreds of people every day. Despite the above, 2FA in Ubuntu One SSO has remained in closed beta for more than 7 years. The one thing that was lacking was a comprehensive code recovery experience to prevent lockouts

Why code recovery?

A downside of 2-factor authentication is that, should the code-generating device(s) be lost, misplaced, broken or misconfigured, the user will be unable to enter a 2-factor code and thus will be denied access to their account.

As 2FA entered beta testing, it was primarily used by Canonical employees. In this situation, the company has verified mechanisms for identity validation and device reset. However, as the pool of testers expanded to include security-minded, community members and external users, we realized it wasn’t as easy to provide an analogous recovery mechanism. Since we don’t have any verifiable information identifying the user or linking them to their account, there was no way to establish ownership of that account. Despite an email address being a reasonable method of linking a user to their account, 2FA operates under the assumption that an email address could be compromised. As a result, in practice, users who get locked out of 2FA effectively lose their accounts.

What are we doing about this?

After many years in beta, we have created a comprehensive code recovery experience. Following this, we are happy to announce that we will be implementing 2FA for all Ubuntu One accounts. This change is coming in the next few weeks, so keep your eyes peeled for instructions on how to enable 2FA for your account. With a reliable backup mode of authentication, lockouts should be a thing of the past.

In the meantime, if you want to read more about secure IoT and Desktop solutions, check out the links below!

Photo by Alberto Barrera on Unsplash, taken at Lago de Garda, Italy.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Imagining the future of Cybersecurity

October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu...

6 facts for CentOS users who are holding on

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started!

Why is Ubuntu Linux the leading choice to replace CentOS for financial services?

Financial services are powered by technology. The customer experience is increasingly driven by data, with tailoring of products and services to reflect...