Managing Two-Factor Authentication (2FA) on a User Account

2FA (two-factor authentication) increases the security of your Linode account by requiring two forms of authentication: your password and an expiring token, also called an OTP (one-time passcode) or 2FA code. This follows the security principle of authenticating with something you know (a password) and something you have (the device used to generate the token). This additional layer of security reduces the risk that an unauthorized individual can gain access to your Linode account. Linode highly recommends enabling 2FA.

Note

Managing 2FA through Linode is only available if Linode is selected as the Login Method. If you select a third-party authentication provider (such as Google or GitHub), 2FA is managed directly through that provider and not through Linode.

Before enabling 2FA on your user account, you need to determine which application you wish to use for managing your authentication and generating the expiring tokens (OTPs). You may want to consider using your existing password manager or using a using dedicated authenticator app.

Most password managers offer a built-in OTP feature. If convenience is a large factor for you, using your password manager is typically faster and no extra applications are needed. Once configured, you can copy your OTP token from the same application that stores your usernames and passwords. In many cases, your OTP token can automatically be pasted into the appropriate field on your web browser when logging in. Here are some password managers that support OTP / 2FA tokens:

• 1Password
• Bitwarden
• Keeper

The primary downsides of using your password manager as your OTP provider are security and cost. If a malicious actor gains access to your password manager, they also now have access to your OTPs. To prevent this, consider using a dedicated application (see below).

There are quite a few free (and paid) third-party authenticator applications available. They are typically more secure than using your password manager’s OTP functionality as a malicious actor cannot gain access to your Linode account (or any other 2FA protected account) unless they know your password and have access to the particular device on which the authenticator app is installed, typically your smartphone.

• Authy
• Duo Mobile
• Google Authenticator
• Microsoft Authenticator

Enable two-factor authentication to start using it with your Linode account.

1. Log in to the Cloud Manager.

2. Navigate to the Login & Authentication page of your profile by clicking on your username in the top right of the screen. Select Login & Authentication from the dropdown menu.

3. Within the Login Method section, select Linode as the login provider. If you configure a third-party provider (such as Google or GitHub), you instead can manage 2FA directly through that provider and not through Linode.

4. Under Security Settings, verify that you have configured all 3 security questions. If not, follow the instructions within the Security Questions guide.

5. Within the Two-Factor Authentication section, click the toggle switch to enable 2FA.

   A QR code should appear, along with a secret key and a field to enter your 2FA token.

6. Open the app for your preferred 2FA provider on your smartphone or desktop. For help choosing a provider, see Choosing a 2FA Provider.

7. The next step is to configure the app to automatically generate OTP tokens for use with Linode’s 2FA feature. The process varies depending on the app you are using. Within most dedicated authenticator apps, you can add an account. For password managers, edit or add a Linode login entry and add a one-time passcode (1Password), two-factor code (Keeper), or the equivalent field within your app. Then either scan the Cloud Manager’s 2FA QR code or manually enter the secret key (also called a setup key or code). On mobile devices, you can use your phone’s camera to scan the QR code. Desktop applications instead can typically scan the QR through their own custom screen capture tool. If you need further help, you can consult the documentation for your 2FA provider.

8. Once 2FA has been configured in your 2FA provider, a time-sensitive OTP token is generated. This token refreshes every 30 seconds. Copy this token and, within the Cloud Manager, paste it to the Token field and click Confirm Token.

9. Once the token is successfully confirmed, a scratch code appears. Save this code to a secure place, such as a password manager. If you ever lose access to your authenticator app, this scratch code can be used once in place of the OTP token. is enabled on your account.

If 2FA is enabled on your account, you must enter the OTP generated by your 2FA provider when you log in to the Cloud Manager.

1. Open the Cloud Manager in your web browser. If you are not already logged in, the Login page appears.

2. Enter your username and password and click Log in. If you wish, you can also select Trust this device for 30 days to stay logged in for 30 days. If 2FA is enabled on your account, a form appears requesting your OTP token or scratch code.

3. Open the authenticator app you are using to manage your 2FA and OTP tokens. Within this app, open the Linode account or login entry to view the time-sensitive OTP code.

4. Enter your OTP token into the Token field in the Cloud Manager and then click the Verify button. Provided the token is correct, you are successfully logged in.

   Note

   If you entered your one-time use scratch code instead of an OTP token, a new scratch code is automatically generated and provided to you. Save this code for the next time you do not have access to your authenticator app.

If you need to switch your 2FA provider or change the device in use by your two-factor authenticator app, you can do so within the Cloud Manager. To successfully log in to the Cloud Manager, you must have access to your original 2FA provider or device. If you’ve lost your device or otherwise don’t have access, see the Recovery Procedure below.

1. Log in to the Cloud Manager.

2. Navigate to the Login & Authentication page of your profile by clicking on your username in the top right of the screen. Select Login & Authentication from the dropdown menu.

3. In the Two-Factor Authentication (2FA) section, click Reset two-factor authentication, as shown below.

4. A new QR code and secret key is generated for your account and displayed on the screen. Follow the instructions in the Enabling Two-Factor Authentication section.

You can disable two-factor authentication for your Linode account at any time. Here’s how:

1. Log in to the Cloud Manager.

2. Navigate to the Login & Authentication page of your profile by clicking on your username in the top right of the screen. Select Login & Authentication from the dropdown menu.

3. In the Two-Factor Authentication (2FA) section, toggle the Enabled switch to disable two-factor Authentication.

4. A confirmation window appears asking if you want to disable two-factor authentication. Click Disable Two-Factor Authentication.

You have successfully disabled the two-factor authentication feature for your Linode Cloud Manager account.

If you lose access to your 2FA application without first removing 2FA from your account, you will be unable to log in to the Cloud Manager. In this case, you will need to contact Linode Support and provide a few pieces of information to confirm your identity, such as valid answers to your security questions. If you have enabled 2FA prior to June 27th, 2022 and have not configured any security questions, you will need to verify your identity by providing images of your payment card and photo ID.

1. Contact the Linode Support team through phone or email and state that you are locked out of your account and would like to remove 2FA.

2. A member of the Support team will ask you to provide valid answers to each of your security questions.

3. Your answers and any other details provided will be reviewed. If the information provided is sufficient, the team member will remove 2FA from your account. If additional details are needed, you will be provided with further instructions.

1. Send an email to support@linode.com and state that you are locked out of your account and would like to remove 2FA.

2. Once the email is processed, you will receive a confirmation email referencing a unique ticket number.

3. Open the Credential Submission Portal and enter your ticket number and the email address on your account.

4. Upload the following images through the portal:

   • An image of the front and back of the payment card on file, which clearly shows the last 6 digits of the card number, the expiration date, cardholder name, and bank logos.
   • An image of the front and back of Government-issued photo ID that matches the name on the card.

5. A member of the Support team will review your submission and respond to your ticket. If the information provided is sufficient, the team member will remove 2FA from your account. If additional details are needed, you will be provided with further instructions.