When will Linode support FIDO2/WebAuthn for logging in?

Some good conversations about Hardware Keys and 2FA options have happened recently here.

Currently Yubiko Authenticator is a good workaround that functions similarly to Duo or Google Authenticator by creating TOTP authentication codes that are backed by your Yubikey hardware.

Direct support for FIDO2 or similar hardware tokens is still something that is in our feature request tracker. I hope this provides some clarity around the situation.

Interesting. This article from Ars Technica suggests that TOTP is fatally compromised in this role, and that off-the-shelf kits are currently being used to circumvent TOTP-based solutions. So this sounds like an ineffective and inadequate response. Am I wrong?

https://arstechnica.com/information-technology/2023/03/software-for-sale-is-fueling-a-torrent-of-phishing-attacks-that-bypass-mfa/

@clements I'm not a huge cyber security buff, but looking through the comments on that same post, it looks like:

If the website doesn't support anything else, there's nothing you can do. Be aware/vigilant about how you got to the website asking for your TOTP code. Did you get there via an email? Was it a browser tab/window you weren't looking at for a bit and now is a login prompt? (some malicious scripts wait until the window is inactive for a time before overlaying a login prompt, to trick you into authenticating).

You should be able to use, albeit support is still fairly limited, either PassKey (soft token, browser/OS support varies) or a YubiKey (physical token). But any MFA is better than no MFA.

Adding to that comment, it looks like many other vulnerabilities that already exist for web security. Basically, you just have to be methodically paranoid. If you see something in an email, go directly to the site via your browser in a new session. Bonus points if you can do this on another device.

-Micah