NEW! Mirantis Academy -   Learn confidently with expert guidance and On-demand content.   Learn More

STORE

PUBLIC SECTOR

< BLOG HOME

Mirantis Kubernetes Engine 3.4.0 Two-Factor Authentication

Ryan Zhang - January 01, 2011
- Yubikey, security, Mirantis Kubernetes Engine, kubernetes, Google Authenticator, authentication, 2FA
image

Compatible with a host of password services and authenticators, two-factor authentication now enhances Mirantis Kubernetes Engine access security


Two-factor authentication (2FA) adds an extra layer of security when logging into Mirantis Kubernetes Engine (MKE). With 2FA, you still have to log in with your username and password, but you must also provide another factor of authentication that only you know or can access.


For MKE, the second form of authentication is a code generated by an application. After you enable 2FA, MKE generates an authentication code any time you attempt to sign into your MKE account. The only way you can sign into your account is if you can provide both your password and a correlated code, generated by a Time-Based One-Time-Password (TOTP) application.


As of MKE 3.4.0, 2FA only protects access to the administrative webUI. Enabling 2FA for other access methods, like CLI access via client bundle, and access to the REST API, may be supported in future releases.


Configuring MKE for 2FA with a TOTP Mobile Application


A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. At the time of this writing, you can consider TOTP applications such as 1Password, Authy, LastPass Authenticator, Google Authenticator, or Yubico Authenticator with a registered YubiKey for use with MKE.


To configure:


  1. Navigate to the Security page of your user Profile and click to enable two-factor authentication.

    2. 2fa-image-1
    Mirantis Kubernetes Engine 2FA presents a QR code that lets you easily register a mobile authentication app that provides time-based one-time passwords (TOTP).

  2. Scan the QR code using your mobile device's application. After scanning, the application displays a six-digit code that you can enter into MKE.

  3. The TOTP mobile application saves your MKE account and generates a new authentication code every few seconds. On MKE, type the code and click Enable.

  4. Once you enable two-factor authentication, MKE generates a set of one-time use recovery codes, which can help you get back into your account if you lose access to your phone, password repository site, or keyfob. Save your recovery codes in a safe place.

    5. 2fa-image-2
    Mirantis Kubernetes Engine generates one-time codes enabling access if you lose your phone or other authenticator. Keep these in a safe place.


Accessing MKE using two-factor authentication


With two-factor authentication enabled, you will need to provide an authentication code when accessing MKE through your browser. If you have set up two-factor authentication using a TOTP application on your smartphone, you can generate an authentication code for MKE at any time. In most cases, just launching the application will generate a code automatically. The code generated may be valid for a short period of time, often 30 seconds, before it changes to a new one.


To sign in, just provide the code with your username and password


2fa-image-3
Mirantis Kubernetes Engine 2FA login: just provide the code from your authenticator, along with your username and password.

In a rare case where your authentication fails several times, it may help to synchronize your smart phone's clock with your mobile provider.


Disabling 2FA


We strongly encourage using two-factor authentication to secure your account. If you need to disable 2FA, however, we recommend that you enable it again as soon as possible.


To disable, navigate to the Security page of your user Profile and click to disable.


If you Lose your Authenticator


If you lose access to your phone, you may not be able to authenticate to MKE. During two-factor authentication configuration, MKE provides a set of recovery codes. You can use each of these codes as a one-time use authentication code. If you have misplaced those codes, the only way to log into your MKE account is by asking the admin to disable two-factor authentication for you. You can then re-enable two-factor authentication with your new phone.


What's Next for 2FA on MKE?


Given the importance of securing your Kubernetes clusters, future versions of MKE will include additional support for 2FA, including:


  • Mandatory enforcement of 2FA for an organization, letting you enforce 2FA for all members of an organization, and provide methods for checking and alerting employees who are not in compliance.

  • Configurable 2FA will let administrators set various configurations of 2FA to improve user experience and compliance.

Try 2FA on MKE


It's easy to try two-factor authentication on Mirantis Kubernetes Engine. The one requirement is a Mirantis Kubernetes Engine cluster, which you can deploy free at small scales. Just follow the link to our download recipe, to deploy an MKE test cluster on almost any virtual infrastructure.

Choose your cloud native journey.

Whatever your role, we’re here to help with open source tools and world-class support.

GET STARTED
NEWSLETTER

Subscribe to our bi-weekly newsletter for exclusive interviews, expert commentary, and thought leadership on topics shaping the cloud native world.

JOIN NOW
Mirantis logo

900 E Hamilton Avenue
Suite 650
Campbell, CA 95008
+1-650-963-9828

Privacy Policy

Do Not Sell My Information

UK Modern Slavery Act Statement

Sitemap

Digital Self-Determination
Services
Platform
Company

© 2005 - 2024 Mirantis, Inc. All rights reserved. “Mirantis” and “FUEL” are registered trademarks of Mirantis, Inc. All other trademarks are the property of their respective owners.