UbuntuOne/Launchpad two-factor authentication
For a little over a year Ian, Clark and I have been using the multi-factor authentication feature of UbuntuOne SSO (i.e. Launchpad) in order to more strongly secure the accounts we rely on for OpenID logins to the Web interfaces of our services like Gerrit and StoryBoard. It's gone smoothly, I think, and so we're probably overdue on our plan to offer this capability to other OpenDev users. Support for this is not enabled by default, your SSO account needs to be a member of a group which is granted the feature. We have one such group authorized for this purpose, which can be found here: https://launchpad.net/~opendev-2fa Please see the information and important caveats documented in the group description. I expect the process would be something like using the LP group members page to request membership for your account, and then one of the group administrators would approve the request, after which you would be able to proceed with configuration of your token or other HOTP/TOTP authenticator. I'm bringing it up here first for discussion, in order to see if anyone has any concerns or related suggestions, but barring none I'd like to move forward with a "soft" (quiet) call for wider testing the first week of December. -- Jeremy Stanley
On Mon, Nov 22, 2021 at 3:15 PM Jeremy Stanley <fungi@yuggoth.org> wrote:
For a little over a year Ian, Clark and I have been using the multi-factor authentication feature of UbuntuOne SSO (i.e. Launchpad) in order to more strongly secure the accounts we rely on for OpenID logins to the Web interfaces of our services like Gerrit and StoryBoard. It's gone smoothly, I think, and so we're probably overdue on our plan to offer this capability to other OpenDev users.
Support for this is not enabled by default, your SSO account needs to be a member of a group which is granted the feature. We have one such group authorized for this purpose, which can be found here:
https://launchpad.net/~opendev-2fa
Please see the information and important caveats documented in the group description. I expect the process would be something like using the LP group members page to request membership for your account, and then one of the group administrators would approve the request, after which you would be able to proceed with configuration of your token or other HOTP/TOTP authenticator.
For context, I've been doing this for many years now and it's been working very well for me.
I'm bringing it up here first for discussion, in order to see if anyone has any concerns or related suggestions, but barring none I'd like to move forward with a "soft" (quiet) call for wider testing the first week of December. -- Jeremy Stanley
-- Mohammed Naser VEXXHOST, Inc.
On 2021-11-22 15:26:10 -0500 (-0500), Mohammed Naser wrote: [...]
For context, I've been doing this for many years now and it's been working very well for me. [...]
Thanks! I should have mentioned, it's probable at least some other users are doing this already, since it's been possible to request access directly from the LP admins. Having a group we can use to help our users opt into the feature offloads some of the burden from the LP volunteer maintainers and may also mean faster turn-around time on such requests. Another thing that would be good to know is what authenticators people are having luck using. I'm personally doing TOTP with a Librem Key (Purism branded NitroKey derivative with some custom features) and accessing it with the nitrocli utility, though I had to compile my own from its Rust sources since the version in Debian is too old to recognize my device. -- Jeremy Stanley
W dniu 22.11.2021 o 21:15, Jeremy Stanley pisze:
For a little over a year Ian, Clark and I have been using the multi-factor authentication feature of UbuntuOne SSO (i.e. Launchpad) in order to more strongly secure the accounts we rely on for OpenID logins to the Web interfaces of our services like Gerrit and StoryBoard.
That brings memories... In 2011 Canonical worked on adding multi-factor auth to Launchpad. I was member of beta testers group then and got my first Yubikey. During May 2012 there was Ubuntu Developer Summit in Oakland, USA. Each attendee got Yubikey to be able to use that functionality. In 2013 I left Canonical and most of groups on LP which resulted in disabling multi-factor. Will apply for new membership.
On 2021-11-23 10:40:48 +0100 (+0100), Marcin Juszkiewicz wrote: [...]
Will apply for new membership.
Thanks! To be clear though, per my original message, I'm not planning to approve any new member requests for that group until at least next week (let's say December 1), in order to give others opportunity to object to my proposal here on the ML or in next week's IRC meeting, as this week's meeting was officially cancelled. -- Jeremy Stanley
On 2021-11-22 20:15:05 +0000 (+0000), Jeremy Stanley wrote: [...]
I'm bringing it up here first for discussion, in order to see if anyone has any concerns or related suggestions, but barring none I'd like to move forward with a "soft" (quiet) call for wider testing the first week of December.
I also brought this up in yesterday's OpenDev meeting[*] and there were no objections, nor have any been raised in the past week here. As such, anyone interested in using Ubuntu's 2FA feature feel free to request membership in https://launchpad.net/~opendev-2fa as long as you've read the lengthy disclaimers in the group description there. We've already added two early volunteers. If it continues to work out well for folks, we can make a bit more noise about the availability early next year. In the meantime, if you have any questions or observations you want to share, feel free to follow up here or in the #opendev channel on the OFTC IRC network. [*] https://meetings.opendev.org/meetings/infra/2021/infra.2021-11-30-19.01.html -- Jeremy Stanley
participants (3)
-
Jeremy Stanley
-
Marcin Juszkiewicz
-
Mohammed Naser