Feature request: FIDO U2F Support (e.g. Yubikey)

Oleh · November 12, 2020, 6:35pm

Hi! Verifying possession of the hardware key for authentication purposes is one of the most secure methods available. It allows to mitigate many attacks on Netlify accounts and is more secure than 2FA these days, when 0day attacks on smartphones happen so often.

Here’s a good guide on the topic – Your Complete Guide to FIDO, FIDO2 and WebAuthn - Secret Double Octopus

I’d like to request an ability to:

Connect any number of U2F compatible keys to an account (for backup purposes) as a second factor.
Be able to enable the strict requirement of the device presence to access the account, so it cannot be replaced by other 2FA methods.

perry · November 16, 2020, 7:38pm

interesting, @Oleh! we will discuss and let you know whether we decide to file a feature request - we will circle back here either way!

Oleh · January 14, 2021, 10:54am

Hey @perry, any updates on this feature in a new year?

perry · January 22, 2021, 10:28pm

unfortunately nothing to report yet - but i will be sure to update you here if we decide to implement this!

ppfj · March 2, 2021, 5:42am

i second this.

to provide a bit more rationale… the upstream repositories all support 2FA with hardware keys. the obvious reason for this being that the more important the application, the more you want to prevent modifications via accidentally exposing or intercepting a key. hardware keys are one of the most failsafe ways to accomplish this, hence why github/bitbucket/etc support them.

however when using netlify with these options, netlify becomes the weaker link. having some 2fa is nice, but as long as netlify is providing a lower level of security than the actual commit source/repository, it makes netlify accounts more of a target for things like man in middle or social engineering, simply because of the lower standard applied and the ability to accomplish the same end with less work.

Oleh · May 31, 2022, 2:15pm

It’s required for security even more, and no solution is available.

hrishikesh · June 4, 2022, 6:01pm

There’s a workaround: https://support.yubico.com/hc/en-us/articles/360013789259-Using-Your-YubiKey-with-Authenticator-Codes

TL;DR: You could use Yubikey Authenticator which can be protected behind your Yubikey hardware.

oliver · April 10, 2023, 12:36pm

Unfortunately that’s phishable - the benefit of FIDO/webauthn is that it’s unphishable.

SamO · April 10, 2023, 5:56pm

Thanks for sharing that!

Topic		Replies	Views
Feature Request: Two Factor Authentication / 2FA on Accounts Features	20	4132	September 1, 2020
2FA (Two Factor Authentication) released for all Netlify accounts Updates security	8	980	November 2, 2020
Two-factor authentication lack of access Support netlify-newbie	1	126	October 2, 2023
Netlify Auth integration with Shibboleth Support authentication	8	641	February 28, 2021
Banned after requesting help logging in Admin netlify-newbie	6	300	December 1, 2023

Feature request: FIDO U2F Support (e.g. Yubikey)

Related topics