Container image library Docker Hub has been updated and now includes a beta version of two-factor authentication.
The feature was implemented using the time-based one-time password algorithm, which should offer less attack vectors than for example the often used text message-based approach. Beside user credentials, TOTP requires an authenticator application or a hardware key to work.
While this is indeed one of the more secure approaches, it also means logging in isn’t an option anymore, should you lose your device or access to your authenticator app. Access can then only be recovered via a code which is presented upon first enabling two-factor authentication. Docker therefore advises on saving it somewhere safe, forgetting to mention what that may look like. It also remains to be seen how hard it will be to align CI/CD pipelines with the new addition, should it someday become mandatory.
Users interested in the new feature can activate it in the Security section of their account settings. Anyone normally accessing their account via a CLI will however have to create a personal access token in order to keep entering through it. This can be done through the same tab.
According to Docker’s senior director of product management Shanea Leven, the new addition means Docker recognises “the central role that Docker Hub plays in modern application development”.
This might not be the only reason for Docker to concentrate on these issues, though, since the company had to deal with a data breach at the Hub earlier this year. Back then, sensitive data of up to 190,000 users could have been exposed after a customer database was hacked.
To prevent such a thing from happening again, Docker apparently is working on other “enhancements around security and content”. They include support for WebAuthn and a way for organisations to enforce two-factor authentication for all their members.