From 4b28596983e6399331bc349a9f1055537c287c56 Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 10 Apr 2022 19:16:16 -0400 Subject: [PATCH] Move "More places to setup 2FA" to intro (#968) --- docs/multi-factor-authentication.md | 45 ------------------- docs/security/multi-factor-authentication.md | 47 ++++++++++++++++++++ 2 files changed, 47 insertions(+), 45 deletions(-) diff --git a/docs/multi-factor-authentication.md b/docs/multi-factor-authentication.md index bacaeba1..32c3454c 100644 --- a/docs/multi-factor-authentication.md +++ b/docs/multi-factor-authentication.md @@ -92,48 +92,3 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896) - [:fontawesome-brands-github: GitHub](https://github.com/raivo-otp/ios-application) - -## More places to setup MFA - -### Windows - -Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. - -### macOS - -macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. - -Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. - -After your smartcard/security key is set up, we recommend running this command in the Terminal: - -```text -sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES -``` - -The command will prevent an adversary from bypassing MFA when the computer boots. - -### Linux - -!!! warning - If the [hostname](https://en.wikipedia.org/wiki/Hostname) of your system changes (such as due to DHCP), you would be unable to login. It is vital that you setup a proper hostname for your computer before following this guide. - -The `pam_u2f` module on Linux can provide two factor authentication for user login on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands such as "apt-get" and package names may however differ. This guide does **not** apply to Qubes OS. - -### Qubes OS - -Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS' [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. - -### SSH - -#### Hardware security keys - -SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. - -#### Time-based One-time Password (TOTP) - -SSH MFA can also be set up using TOTP and DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands such as "apt-get" and package names may differ. - -### KeePass (and KeePassXC) - -KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a documennt for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/docs/security/multi-factor-authentication.md b/docs/security/multi-factor-authentication.md index 0e0e6102..93bdda66 100644 --- a/docs/security/multi-factor-authentication.md +++ b/docs/security/multi-factor-authentication.md @@ -106,3 +106,50 @@ If you have to use email for MFA, make sure that the email account itself is sec If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access or use a dedicated VOIP number from a provider with similar security to avoid a [SIM swap](https://en.wikipedia.org/wiki/SIM_swap_scam) attack. [MFA tools we recommend](../multi-factor-authentication.md){ .md-button } + +## More places to setup MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, ssh keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + If the [hostname](https://en.wikipedia.org/wiki/Hostname) of your system changes (such as due to DHCP), you would be unable to login. It is vital that you setup a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two factor authentication for user login on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands such as "apt-get" and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS' [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware security keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP and DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands such as "apt-get" and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a documennt for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.