Two factor authentication for management API?

Report Inappropriate Content · 04-26-2016 03:30 PM

I see 2FA is now available in beta. That's great, and it works well for logging into the management UI. However I notice that there's no change to the management APIs, I can still access all the APIs using just a username and password. That makes the 2FA a bit... pointless at the moment. Maybe this is just because it's a beta though.

Are there any docs on how the API authentication will work (presumably there are plans to change authentication for the API?)

DChiesa

Still in beta.

We'll have more on the API access.

@Joel D'sa may have some comment here.

kkleva

'beta' ;0( I feel left out!

gnanasekaran

MFA is great for user initiated actions in a user interface, but doesn't fit well for user/non-user [for eg, tools, jobs, CI/CD, cli ..] initiated actions in a non-user interface environment [for eg, bash, jenkins ..]

yes, technically you could add another factor [what they possess - maybe network, maybe IP, private keys etc.. ] on top of the credentials [what they know] for non-users - but I think its hard. Would love to know/learn if there are simpler solutions

You are right about this[the beta solution] being pointless to allow the same credential access the UI with 2FA and allow API access with just basic auth - but as you understand this is beta

I think what would be great would be, something similar to the AWS model, having 2 different type of accounts.

1. User account [ userid+password]

> that allows access only to UI,

> requires MFA

> NO API Access, you can't use it in tools, programs ..

2. Service account [ userid+password - like AWS keys]

> Only API Access

> Basic auth

> NO UI Access, use it for your tools, programs ..

and with RBAC you could easily manage fine grained access to service accounts and the user accounts.

Report Inappropriate Content

I agree, using a 2FA code for every API request doesn't make sense. A token-based or service account approach works.