Please provide 2-factor access for the management console
My Gmail, Facebook, and bank accounts already have an ability to offer a 2 step authentication process by requiring I enter a confirmation number that's sent to my phone.
A feature like this would go a long way to compartmentalizing our security in case, say, our email server was rooted.
Two step verification is becoming a common practice in the industry and I'll like to be able to to secure my rackspace account with two step verification that utilizes Google Authenticator. Please let know whether this feature is available on Rackspace (even if it's in beta, I would be happy to test it for you) or when it will be available.
Currently a compromised password (particularly an admin password) could leave an organisation's e-mail system entirely compromised. This option is availible from provides like Google (for free) and therefore should be made an option on solutions offered by Rackspace.
A good deal of work is put into a layering security of servers and applications we deploy. I believe a weak link in the overall security of the cloud services environment of Rackspace is the control panel's use of a simple login and password without a great deal of accountability.
I would like to see a two factor authentication approach put in place for the web based control panel. A common approach is for the second factor to be a one time password (OTP) through the use of a Vasco Key or YubiKey. These mechanisms are also surprisingly easy to implement.
In addition, an activity/access log should be implemented to provide an appropriate level of surveillance on the use of the cloud control account(s). This should at the very least detail each access including date, time, ip address, etc.
Currently it is possible to log into the cloud control panel at manage.rackspacecloud.com using just a username and password. Anyone who accesses this control panel can add new servers, delete servers, access cloud files storage, and most dangerous of all, reset the root password for any existing server. Because of this, if an account username and password were ever compromised, it would pose an extreme risk to the operations and security of all the user's cloud services.
To make all Rackspace products more secure, I propose adding an optional extra layer of security, for example one requiring identity verification using a mobile device. This model has been used successfully by companies such as Google and Paypal, and would make using Rackspace far more secure as the management console would be extremely difficult to attack.
Details of similar schemes:
I gueest that you add additional layer of login-security, in the way Google implemented it with Gmail.
One needs to have login codes sent to mobile phone when logging in.
That would drastically decrease the possibility malicious person/s access full administration panel, which could be disastrous.
enable the use of securid for people who need to work from home. Right now, the web portal is too vulnerable, allowing anyone with access to the web portal to log in and delete servers and use the console to try to hack into the servers.
PayPal lets their users order security key cards for $5. When I log into my account w/user/pass it then asks me to enter a code on the digital card I received (push a button to get a new code each time).
It would be great to have something similar for the Control Panel. If some clown gets me with a key-logger, it would be okay. They can't get into my account, delete my sites and ruin my life without having the physical card in hand.
I do not know if VeriSign provides such cards for others but I would not be surprised if this technology catches on and is or will be provided as a norm in various industries.
I apologize for the delay in the release of this feature. We are working to allow multiple user access for a cloud account at this time and will be picking 2-factor back up soon. I will update this forum when a timeline is more concrete.
Rackspace Identity Product Manager
+1 this request
Getting many security beaches now. 3 in three weeks. Passwords are crazy strong, all separate passwords etc., it's no longer adequate protection. Sort this asap or i'll be forced to find a hosting provider that does have it. AKA, GODADDY!!!!!
As a suggestion, why don't you use Google Authenticator, just like dropbox did?
That would definitely shave off tons of development time
I got this from Rackspace's Facebook page.
Sorry for the delay Matt, and thanks for bringing that thread to our attention. We've reached out to Joe (the product manager who has been updating the thread) and have confirmed that we have had to delay the development of 2-factor authentication in order to concentrate on our deployment into several new data centers. These new datacenters are online now and his team has one more major update to our authentication platform in the works. We will be able to share details about this update in a few weeks.
Once this auth update is completed, we plan on picking up development on two factor auth in the next month or two and will update https://feedback.rackspacecloud.com when we do.
We sincerely apologize for the inconvenience. Two factor auth is an extremely high priority for us to deliver and we will deliver it to you as soon as we are able.
Please feel free to reach out to us or to your account manager if you have any other questions or feedback for us!
Over 2 and half years since this was requested. It's a joke. Two-factor authentication should be offered not just for the management console but for all cloud files / hosted email account logins. If even Microsoft and Google are offering this (for free) - it is next to unbelievable that a 'premium' provider like Rackspace still is unable to offer such a basic security protection to the businesses using its hosted cloud products.
Any idea when you'll be releasing the timeline for this? I consider this feature to be critical, and it's been "in the works" for almost a year, during which its status has downgraded from "Started" to "Planned"... and your comment seems to imply that the real status is "Planned-to-be-planned". Is this being taken seriously? It's a BIG DEAL.
Mr. Savak, thank you for your update, but this answer is essentially the same, if not even more vague than the last one, eight months ago. Could you please be more specific? Thank you.
I just sent them a Ticket Q about this. Will post update.
Anyone at Rackspace listening?
Daniel Ellis commented
We had a major security breach this week that would have been prevented by this feature.
Steven Balthazor commented
Why is this taking so long. Even someone from your own security team has emphasized that two-factor authentication is a necessity: http://developer.rackspace.com/blog/crank-up-app-security-with-multi-factor-authentication.html .
It's been more than 6 months since development of this feature apparently began, can we please at least get an update? If there isn't even a timeline yet it's hard to believe you're serious about this.
Even Microsoft's Outloom.com is using two factor authentication that is compatible with Google's app. Twitter just started using sms based two factor. After eight years with you guys starting with webmail.us is it really time for me to switch to google apps or outlook.com
Benjamin Johnson commented
Can you provide more information regarding the solution and expected timeline here? Google Two-Factor Auth, Yubikey, Duo Security, SMS texting, etc -- I don't care what it is. We have some very critical systems hosted with you, and if someone compromises our account they will have tremendous power to damage our company. The only thing preventing them is (hopefully) not knowing our password. Everything else about your solutions has been great for us, but we're scared at the lack of two-factor auth. Thank you.
Thomas Spear commented
Joe: can you provide more info on what form of two-factor authentication is being implemented? Is it HOTP? YubiKey? Symantec VIP? RSA SecurID? Really looking forward to this!
Seriously, we so need this to ensure our portals aren't compromised through watering-hole attacks like the ones that just hit apple and facebook.
Is there any update on when this is going to be available? Thanks
Any new info on development? I feel uneasy about accessing Rackspace with many accounts using just a password. All that would be needed i just one lousy key-logger, or a security hole, and all accounts would be compromised.
Rackspace - Is there any update on timing? The lack of this basic security measure should be addressed urgently.
Also, will this be added at the same time for the e-mail and apps control panel - to protect hosted exchange servers etc which are equally as vulnerable?
Muhammad Danish commented
focusing on those that have been scarcely documented or are under represented in dominant art historical narratives.