Strengthen protection for your GCE VMs with new FIDO security key support
Max Illfelder
Software Engineer
Christiaan Brand
Product Manager
With the release of OpenSSH 8.2 almost two years ago, native support for FIDO authentication became an option in SSH. This meant that you could have your SSH private key protected in a purpose-built security key, rather than storing the key locally on a disk where it may be more susceptible to compromise. Building on this capability, today we are excited to announce in public preview that physical security keys can be used to authenticate to Google Compute Engine (GCE) virtual machine (VM) instances that use our OS Login service for SSH management.
These advances in OpenSSH made it easier to protect access to sensitive VMs by setting up FIDO authentication to these hosts and physically protecting the keys used to grant access. And while we’ve seen adoption of this technology, we also know that management of these keys can be challenging, particularly around the manual process of generating and storing FIDO keys. Additionally, physical security key lifecycle issues could leave you without access to your SSH host. And if you lose or misplace your security key, you could be locked out.
At Google Cloud we’ve been working hard on integrating our industry-first account level support for FIDO security keys with SSH in a way that makes it simple to get all the benefits of using FIDO security keys for SSH login, without any of the drawbacks.
Now, when you enable security key support through OS Login for your GCE VMs, and one of your security keys will be required to complete the login process, any of the security keys configured on your Google account will be accepted during login. If you ever lose a security key, you can easily update your security key configuration (i.e. delete the lost key and add a new one) and your VMs will automatically start accepting the new configuration on next login.
If desired, OS Login’s FIDO security key support can further be combined with 2 Step Verification to add an extra layer of security with two-factor authentication (2FA). When this is enabled, a user is required to both have their security key available, and prove authorized access to their Google Account at the time of logging in to their GCE instance through additional factors.
If you’d like to learn more or try this capability out on your own instances, visit our documentation to get started.