When I initially created my Fly account I created it with an email and password combination. I added 2FA using TOTP stored on my Yubikey, since TOTP is the only form of 2FA Fly supports.
I always considered it nearly as good as using my Yubikey directly (via WebAuthn) since the TOTP secret resides securely on the YubiKey and cannot be reasonably exfiltrated like it can from a TOTP app. However, recent events - aka Fly’s X account takeover - have highlighted for me that my setup misses a critical security feature, it is not phishing resistant.
I found I can attach my GitHub Account which fortunately supports WebAuthn (which Fly does not), and in fact my GitHub account has had WebAuthn based 2FA enabled for awhile now. I have a problem though. Even though I have linked my GitHub account and can login using it, I can also login with my old username and password too, effectively bypassing the enhanced security of my GitHub account.
So what I want to know is, is there an option to remove my password so GitHub is the ONLY way to authenticate to my Fly account?
And on a somewhat related note, I also noticed Fly supports restricting org access to Fly users within our GitHub org which is a nice touch, and one I want to enable as we grow to need others besides myself to have access to Fly. And as we look to onboard other users, in addition to forcing them to be members of our GitHub org, can I also force it so that GitHub is the only way they can login to their Fly accounts? That way we can enforce secure 2FA on GitHub and take advantage of the enhanced security on Fly without Fly having to put engineering effort into supporting WebAuthn directly. I assume this is not (currently) possible but maybe I am wrong, and if it it not I would love to see this added.
In fact I would also like to see more granular controls, for example not just that you must be part of our GitHub org, but you must be part of a specific team on our GitHub org would be ideal IMO.
One thing you could do to increase your email sign-in security is to use address aliases; it’s not quite the same as disabling email sign-in, but it is a bit better.
Say your email address is msco1970@gmail.com. Lots of people will know this is your email address, so if they know you use Fly, they already have one half of your sign-in details. But you can change this using aliasing; use something like msco1970+aDdiTioNaL-SeCrEt456@gmail.com and don’t share that with anyone outside of Fly. I expect the platform will require you to resubscribe the email, to prove you own it. Providers that support aliasing (such as Google) will still forward the email to your account.
Can you be more specific about the security risk you’re trying to defend against?
If someone is wanting to masquerade as you, then they’ll assume you’ll use an email address you give out to everyone. So, part of the solution is to use a unique email address. Thus, your assertion is quite wrong: it does solve something.
(Part of my helping you is perhaps my understanding of the product process. If Fly does not already allow customers to turn off email auth, then they won’t implement that especially for you. In general, even good ideas get backlogged. So you probably need to make the best of the situation you have now, even if it is not ideal.)
If Fly does not already allow customers to turn off email auth, then they won’t implement that especially for you.
I think you are missing the point, they already do for accounts that were initially created using login with GitHub/Google. I’m just trying to figure out how to get this same setting on an existing account where login with GitHub is added after the fact.
Maybe there’s a switch for it they can throw. But, do brace yourself: if this is a feature request, then it may not be something you can have yesterday. Such is product development.
the SSO requirements actually bounce through SSO when accessing org resources - it doesn’t matter whether you’re logging in to the Fly account with github or email/password, it always forces github auth.