Feature request: FIDO U2F Support (e.g. Yubikey)

Hi! Verifying possession of the hardware key for authentication purposes is one of the most secure methods available. It allows to mitigate many attacks on Netlify accounts and is more secure than 2FA these days, when 0day attacks on smartphones happen so often.

Here’s a good guide on the topic – Your Complete Guide to FIDO, FIDO2 and WebAuthn - Secret Double Octopus

I’d like to request an ability to:

  • Connect any number of U2F compatible keys to an account (for backup purposes) as a second factor.
  • Be able to enable the strict requirement of the device presence to access the account, so it cannot be replaced by other 2FA methods.
3 Likes

interesting, @Oleh! we will discuss and let you know whether we decide to file a feature request - we will circle back here either way!

1 Like

Hey @perry, any updates on this feature in a new year? :slight_smile:

unfortunately nothing to report yet - but i will be sure to update you here if we decide to implement this!

i second this.

to provide a bit more rationale… the upstream repositories all support 2FA with hardware keys. the obvious reason for this being that the more important the application, the more you want to prevent modifications via accidentally exposing or intercepting a key. hardware keys are one of the most failsafe ways to accomplish this, hence why github/bitbucket/etc support them.

however when using netlify with these options, netlify becomes the weaker link. having some 2fa is nice, but as long as netlify is providing a lower level of security than the actual commit source/repository, it makes netlify accounts more of a target for things like man in middle or social engineering, simply because of the lower standard applied and the ability to accomplish the same end with less work.

2 Likes

It’s required for security even more, and no solution is available.

There’s a workaround: https://support.yubico.com/hc/en-us/articles/360013789259-Using-Your-YubiKey-with-Authenticator-Codes

TL;DR: You could use Yubikey Authenticator which can be protected behind your Yubikey hardware.

Unfortunately that’s phishable - the benefit of FIDO/webauthn is that it’s unphishable.

1 Like

Thanks for sharing that!