I see 2FA is now available in beta. That's great, and it works well for logging into the management UI. However I notice that there's no change to the management APIs, I can still access all the APIs using just a username and password. That makes the 2FA a bit... pointless at the moment. Maybe this is just because it's a beta though.
Are there any docs on how the API authentication will work (presumably there are plans to change authentication for the API?)
'beta' ;0( I feel left out!
MFA is great for user initiated actions in a user interface, but doesn't fit well for user/non-user [for eg, tools, jobs, CI/CD, cli ..] initiated actions in a non-user interface environment [for eg, bash, jenkins ..]
yes, technically you could add another factor [what they possess - maybe network, maybe IP, private keys etc.. ] on top of the credentials [what they know] for non-users - but I think its hard. Would love to know/learn if there are simpler solutions
You are right about this[the beta solution] being pointless to allow the same credential access the UI with 2FA and allow API access with just basic auth - but as you understand this is beta
I think what would be great would be, something similar to the AWS model, having 2 different type of accounts.
1. User account [ userid+password]
> that allows access only to UI,
> requires MFA
> NO API Access, you can't use it in tools, programs ..
2. Service account [ userid+password - like AWS keys]
> Only API Access
> Basic auth
> NO UI Access, use it for your tools, programs ..
and with RBAC you could easily manage fine grained access to service accounts and the user accounts.
I agree, using a 2FA code for every API request doesn't make sense. A token-based or service account approach works.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |