New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Providers with support for FIDO2/Security Key 2FA
Many support TOTP but that's vulnerable to phishing, requires a shared secret, can be guessed (1 in a million chance is not hard to guess) so I am wondering if there are any that support FIDO2 security keys.
Thanked by 1hyperblast
Comments
A lot of hosts are just cookie-cutter WHMCS + SolusVM hosts and thus won't have anything too fancy. The hosts with custom control panels are more likely to support FIDO2 and WebAuthn, but I don't think I've seen any hosts that support it yet.
I know @crunchbits supports FIDO2 keys to secure your login to the VPS control panel.
Virtfusion supports physical key 2FA. Unfortunately the WHMCS integration is likely useless though.
Securing your account like a fortress while you don't know if your hoster is doing the same with Administrator rights is like placing a well-guarded castle in the center of a sand wall.
I say this because if you were thinking of using a major hoster like AWS, you already had 2-FA.
If you use Sign In with Google/Github/Okta and have a key linked to those then you can kind of get it (Linode/Vultr/DO are examples).
Gandi supports security keys. I think OVH does.
Yes, OVH supports 2-FA via SMS & Google Authenticator (we have 2-FA enabled).
FIDO2 would be nice. but its not widespread.
Vultr support yubikey as 2fa
I'm waiting for passkey support to widespread. Not vps provider but as registrar, porkbun already support passkey.
Different threats. I am guarding against you accessing my account or VPS, not a host I have already entrusted with my money.
There is also the fact that when I look at a provider who has put the effort to support a security feature it means they have a higher chance of understanding security overall and that has potential impact on other security decisions throughout the company.
So til now I could confirm both OVH and Gandi have support for it.
Unable to confirm if crunchbits does but the account part doesn't support it.
For domain registrars, Namecheap, Cloudflare and Porkbun do.
It's not standard FIDO2 if you have to use only a single brand as a key.
It is fido2, same as where most places put authy or google authenticator when they really meant any totp compatible apps.
Yubikey doesn't run on its own gated proprietary protocol.
It's not FIDO2, it's a custom protocol called Yubikey OTP which is (I assume) storing the secret that would normally be used for TOTP.
Vultr specifically mentions that distinction as they list TOTP as "Google Authenticator and Compatible Apps" while Yubikey OTP authentication as "2FA via Yubikey"
If you're looking for an email host, Mailcheap has FIDO2/WebAuthn for both our client area and email portal. This is for primary authentication (PIN/biometrics + key) and not 2FA which still uses TOTP. If you add 2 or more passkeys, our system allows for disabling password authentication altogether.
As for hosting providers, we use quite a few so I can provide some insight into them:
Pavin.