I see 2FA is now available in beta. That’s great, and it works well for logging into the management UI. However I notice that there’s no change to the management APIs, I can still access all the APIs using just a username and password. That makes the 2FA a bit… pointless at the moment. Maybe this is just because it’s a beta though.
Are there any docs on how the API authentication will work (presumably there are plans to change authentication for the API?)
MFA is great for user initiated actions in a user interface, but doesn’t fit well for user/non-user [for eg, tools, jobs, CI/CD, cli ..] initiated actions in a non-user interface environment [for eg, bash, jenkins ..]
yes, technically you could add another factor [what they possess - maybe network, maybe IP, private keys etc.. ] on top of the credentials [what they know] for non-users - but I think its hard. Would love to know/learn if there are simpler solutions
You are right about this[the beta solution] being pointless to allow the same credential access the UI with 2FA and allow API access with just basic auth - but as you understand this is beta
I think what would be great would be, something similar to the AWS model, having 2 different type of accounts.
that allows access only to UI,
requires MFA
NO API Access, you can’t use it in tools, programs ..
Only API Access
Basic auth
NO UI Access, use it for your tools, programs ..
and with RBAC you could easily manage fine grained access to service accounts and the user accounts.
I agree, using a 2FA code for every API request doesn’t make sense. A token-based or service account approach works.
‘beta’ ;0( I feel left out!