mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2024-07-31 15:42:52 +00:00
Move "More places to setup 2FA" to intro (#968)
This commit is contained in:
parent
90292634a8
commit
4b28596983
|
@ -92,48 +92,3 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
|
||||||
- [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137)
|
- [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137)
|
||||||
- [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896)
|
- [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896)
|
||||||
- [:fontawesome-brands-github: GitHub](https://github.com/raivo-otp/ios-application)
|
- [:fontawesome-brands-github: GitHub](https://github.com/raivo-otp/ios-application)
|
||||||
|
|
||||||
## More places to setup MFA
|
|
||||||
|
|
||||||
### Windows
|
|
||||||
|
|
||||||
Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer.
|
|
||||||
|
|
||||||
### macOS
|
|
||||||
|
|
||||||
macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer.
|
|
||||||
|
|
||||||
Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS.
|
|
||||||
|
|
||||||
After your smartcard/security key is set up, we recommend running this command in the Terminal:
|
|
||||||
|
|
||||||
```text
|
|
||||||
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
|
|
||||||
```
|
|
||||||
|
|
||||||
The command will prevent an adversary from bypassing MFA when the computer boots.
|
|
||||||
|
|
||||||
### Linux
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
If the [hostname](https://en.wikipedia.org/wiki/Hostname) of your system changes (such as due to DHCP), you would be unable to login. It is vital that you setup a proper hostname for your computer before following this guide.
|
|
||||||
|
|
||||||
The `pam_u2f` module on Linux can provide two factor authentication for user login on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands such as "apt-get" and package names may however differ. This guide does **not** apply to Qubes OS.
|
|
||||||
|
|
||||||
### Qubes OS
|
|
||||||
|
|
||||||
Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS' [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS.
|
|
||||||
|
|
||||||
### SSH
|
|
||||||
|
|
||||||
#### Hardware security keys
|
|
||||||
|
|
||||||
SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up.
|
|
||||||
|
|
||||||
#### Time-based One-time Password (TOTP)
|
|
||||||
|
|
||||||
SSH MFA can also be set up using TOTP and DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands such as "apt-get" and package names may differ.
|
|
||||||
|
|
||||||
### KeePass (and KeePassXC)
|
|
||||||
|
|
||||||
KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a documennt for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.
|
|
||||||
|
|
|
@ -106,3 +106,50 @@ If you have to use email for MFA, make sure that the email account itself is sec
|
||||||
If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access or use a dedicated VOIP number from a provider with similar security to avoid a [SIM swap](https://en.wikipedia.org/wiki/SIM_swap_scam) attack.
|
If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access or use a dedicated VOIP number from a provider with similar security to avoid a [SIM swap](https://en.wikipedia.org/wiki/SIM_swap_scam) attack.
|
||||||
|
|
||||||
[MFA tools we recommend](../multi-factor-authentication.md){ .md-button }
|
[MFA tools we recommend](../multi-factor-authentication.md){ .md-button }
|
||||||
|
|
||||||
|
## More places to setup MFA
|
||||||
|
|
||||||
|
Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, ssh keys or even password databases as well.
|
||||||
|
|
||||||
|
### Windows
|
||||||
|
|
||||||
|
Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer.
|
||||||
|
|
||||||
|
### macOS
|
||||||
|
|
||||||
|
macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer.
|
||||||
|
|
||||||
|
Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS.
|
||||||
|
|
||||||
|
After your smartcard/security key is set up, we recommend running this command in the Terminal:
|
||||||
|
|
||||||
|
```text
|
||||||
|
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES
|
||||||
|
```
|
||||||
|
|
||||||
|
The command will prevent an adversary from bypassing MFA when the computer boots.
|
||||||
|
|
||||||
|
### Linux
|
||||||
|
|
||||||
|
!!! warning
|
||||||
|
If the [hostname](https://en.wikipedia.org/wiki/Hostname) of your system changes (such as due to DHCP), you would be unable to login. It is vital that you setup a proper hostname for your computer before following this guide.
|
||||||
|
|
||||||
|
The `pam_u2f` module on Linux can provide two factor authentication for user login on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands such as "apt-get" and package names may however differ. This guide does **not** apply to Qubes OS.
|
||||||
|
|
||||||
|
### Qubes OS
|
||||||
|
|
||||||
|
Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS' [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS.
|
||||||
|
|
||||||
|
### SSH
|
||||||
|
|
||||||
|
#### Hardware security keys
|
||||||
|
|
||||||
|
SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up.
|
||||||
|
|
||||||
|
#### Time-based One-time Password (TOTP)
|
||||||
|
|
||||||
|
SSH MFA can also be set up using TOTP and DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands such as "apt-get" and package names may differ.
|
||||||
|
|
||||||
|
### KeePass (and KeePassXC)
|
||||||
|
|
||||||
|
KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a documennt for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user