Looking at further securing my NS8 installation, specifically access to the cluster-admin page, and I’d like to use a Yubikey for 2FA purposes (perhaps even to act as a passkey). These are widely available and moderately priced (around US$50, depending on the exact flavor), quite secure, and frankly a bit more convenient then “pull out the phone, open Authy, find the right site, key in the code.”
Yubikeys aren’t the only hardware security keys on the market, and there are a few standard and open-source protocols for such devices (FIDO, FIDO2, passkeys, etc.) So both the tools and the code are available and free.
Of course, the best way to handle this would be to implement a proper SSO/IAM system like Authentik or LemonLDAP::NG–perhaps adopting or building on Martin’s work on the former. But until that’s done, any chance of supporting such keys in the cluster-admin system?
See also: