Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Holly Hall
on 17 June 2021


What is 2-factor authentication (2FA)?

Two factor authentication (2FA) increases your account security further than just using a username and password. In addition to a password (the first factor), you need another factor to access your account. A great example to demonstrate this is when you withdraw money from an ATM. To access your bank account you need both your physical bank card and to know your PIN number. These are the two factors you need to withdraw money = 2 factor authentication!

Common ways to provide this extra level of security are a specific application on your phone or computer, a physical security key/USB (Yubikey, for example), or a smart card. By using more than one of these factors, you can greatly increase the security of your account or system.

2-factor authentication and Ubuntu One SSO

Ubuntu One Single Sign-On (SSO) has supported 2FA since 2014. The ubiquitous OATH (Initiative for Open Authentication) protocol is supported, using open standards to promote stronger security and authentication. Using open standards means that a wide range of devices and applications can be used as a second factor. This includes phone and desktop applications like 1Password, Authy, Authenticator and countless more. This also includes hardware devices from Yubikey, Feitian and others, and even some terminal applications such as oathtool. Thanks to OATH’s simplicity, even a list of numeric codes can be used as a valid device. These codes could, for example, be printed on a sheet of paper and stored securely for use in an emergency or as a backup device

The basics of the workflow, mechanics and code in Ubuntu One SSO  are solid, proven, and used by hundreds of people every day. Despite the above, 2FA in Ubuntu One SSO has remained in closed beta for more than 7 years. The one thing that was lacking was a comprehensive code recovery experience to prevent lockouts

Why code recovery?

A downside of 2-factor authentication is that, should the code-generating device(s) be lost, misplaced, broken or misconfigured, the user will be unable to enter a 2-factor code and thus will be denied access to their account.

As 2FA entered beta testing, it was primarily used by Canonical employees. In this situation, the company has verified mechanisms for identity validation and device reset. However, as the pool of testers expanded to include security-minded, community members and external users, we realized it wasn’t as easy to provide an analogous recovery mechanism. Since we don’t have any verifiable information identifying the user or linking them to their account, there was no way to establish ownership of that account. Despite an email address being a reasonable method of linking a user to their account, 2FA operates under the assumption that an email address could be compromised. As a result, in practice, users who get locked out of 2FA effectively lose their accounts.

What are we doing about this?

After many years in beta, we have created a comprehensive code recovery experience. Following this, we are happy to announce that we will be implementing 2FA for all Ubuntu One accounts. This change is coming in the next few weeks, so keep your eyes peeled for instructions on how to enable 2FA for your account. With a reliable backup mode of authentication, lockouts should be a thing of the past.

In the meantime, if you want to read more about secure IoT and Desktop solutions, check out the links below!

Photo by Alberto Barrera on Unsplash, taken at Lago de Garda, Italy.

Related posts


Aaron Whitehouse
24 November 2023

Ubuntu Explained: How to ensure security and stability in cloud instances—part 3

Cloud and server Article

Applying updates across a fleet of multiple Ubuntu instances is a balance of security and service uptime. We explore best practices to maximise stability. ...


Canonical
21 November 2023

Canonical announces the general availability of chiselled Ubuntu containers

Canonical announcements Article

Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu Canonical announced today the general availability of chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime ...


Aaron Whitehouse
21 November 2023

Ubuntu Explained: How to ensure security and stability in cloud instances—part 2

Cloud and server Article

You probably know that it is important to apply security updates. You may not be clear how to do that. We are going to explain best practices for applying Ubuntu updates to single instances and what the built-in unattended-upgrades tool does and does not do. ...