Dreamhost Adds Google Auth for Panel Access

DreamHost (the web hosting provider of this site) has added two factor authentication to the site administration panel using Google Authenticator.   They’ve provided more information and instructions in their wiki.

After customers enable two factor authentication on their accounts, they would sign in with their existing password and the code provided by Google Authenticator.   A cookie can be used so you don’t have to provide the Google auth code every time you log in.

This is a good step up in security.   It is is important to note that logging into the panel is just one way that attackers can compromise your site.   Your other logins (SFT, database, applications) remain password based.

A recent compromise at Cloudflare reminds us that enabling two factor authentication isn’t a cure all.  One of the facets of that attack was that performing a “lost password reset” allowed access without the two factor code.   That hole has since been closed by Google.

Your account is only as secure as its password reset options.   Password reset is merely another way to access your account.  In the case of DreamHost, the password reset comes as a link in an email to your account of record.   What if your account of record was compromised?   When I click on the link to password reset, DreamHost disables two factor authentication and allows me to pick a new password.   You’re well protected against malware harvesting your logon credential saved insecurely on the system (although I think automated malware would be much more interested in your SFTP login).  To protect against a more determined attacker you’d want to make sure your email of record with DreamHost is also well protected.