[oinksoft]

Not everybody owns or wants a smartphone. Linode needs to extend this to some non-smartphone device, like YubiKey, or offer SMS codes, like Google Authenticator. This is a step in the right direction, but is ultimately disappointing for me.

[rdl]

TOTP works fine with physical tokens. e.g. http://onlinenoram.gemalto.com/

All they need to do is let users locally generate (i.e. in the token) seeds and then enter those into the web portal, vs. generating seeds internal to the portal, displaying them, and having the user enter them into the authenticator app or token (because the tokens don't allow you to enter a seed).

[madsushi]

I have to imagine the overlap between Linode customers and smart phone owners was so large (and the cost of implementation so low) that leaving out hardware authenticators makes sense for v1.

[rdl]

One area where hardware authenticators work really well is where you want to split access to an account, or have some accountable/logged procedure for it. You put the physical token in an envelope and in a safe/put it in the control of a finance person. Tech people have the password, but need to request the token to do logins.

This also requires having role accounts which aren't able to reset authentication settings when logged in, though, to really be good (or else you just disable tokens on first successful login).

Also works well for paranoid people who don't trust their phone, or people who log in only from a phone/tablet and thus where MFA is really one-device-authentication.

[alanctgardner2]

I see what you mean about losing the phone, but unless you're saving your password locally it still satisfies the old "Something you have, and something you know" rule. If you lose your phone, the attacker won't know your password. And an attacker without your phone won't have your OTP.

These physically secure OTP techniques are interesting, but shouldn't you have accountability at the system level anyways? If everyone has a two-factor device and a password, it's pretty tough to plausibly deny that you logged into a server. Someone would have to guessed your password and stolen your device.

[johansch]

How many of linode's subscribers do you think not own a smartphone? I mean, outside of your enclave?

[AgentConundrum]

So because the majority of users have smartphones, the option for everyone else is "too bad"?

I've had my non-smartphone for six years now. It still works, and while I'm sure I'll upgrade to a smartphone one day, I have no urgent desire to do so.

Is it really that hard to set up an SMS system as a fallback? I'm still able to use two-factor on my Google account because they offer this solution.

[ZeroCoin]

Why can't they just use a second email address?