I’d like to see an MFA option for accessing the Tardigrade Web UI.
Google Authenticator or Authy would be ideal.
1 Like
Would you like to move it to the voting category?
I’m referring to the Tardigrade Web UI where you manage Users and API Keys.
1 Like
Ah, ok. I’m confused it with a storagenode dashboard…
Sorry for that
Would you like to move this idea to the voting category?
Good evening. Sorry for the very late reply. Just checking in on this project to see some of the new features. Noticed there is still no 2FA/MFA option for the Satellite UI where billing and access keys are configured. Any update on that feature? It seems like the data on the network is well protected. But if my satellite credentials were to be compromised, someone could delete all my keys and lock the door on the way out. Leaving me with no access to my data until the password gets reset and new keys set up.
They cannot lock anything, while you have an access to your email address - you always can change the password and remove their access grants and create a new ones. Depending on how you configured an access grant you can have a full access to your data back.
You cannot replace an email via UI, you need to file a ticket for that. And first thing what we would ask - to confirm that you have an access to your current email address, by sending an confirmation URL to that email address.
Important thing: even if they get an access to your account, they cannot read your data without knowing your secret phrase. The keys in the UI is impossible to copy, they were available only once on creation time. When you closed the window - they are gone together. The only remained is name (and tied hash to determine when you would use it later, but it’s not available via UI and did not have any effect without knowing secret phrase).
So, you really need only two things - have an access to your email and your secret phrase. You always can regain an access to all your data.
What if:
A competitor or bad actor launches a globally distributed credential stuffing attack against the three satellites simultaneously, with only two tasks/goals. Delete all access keys, and change the user password.
Imagine the service disruption this would cause. The flood of support tickets, forum posts and bad press you now have to triage. Due to the distributed nature of the attack, your only option to stop further damage is to temporarily block access to the satellite UI until the attacker gives up or runs out of funding for the botnet attack.
Adding 2FA/MFA to the satellite UI prevents this type of attack and service disruption. It’s also a common/standard feature among all production worthy cloud storage providers.
1 Like