I was wrong. I didn’t have 2FA enabled on any aspect of GCloud, but do have it enabled on many other websites.
Anyway, it took me about a day to set up 2FA hardware key authentication just on my main gmail account using a 3rd-party 2FA hardware key brand, not google’s somewhat expensive hardware keys. I’ve never used hardware keys before, primarily because i only use linux as my operating system, for which many hardware keys haven’t work natively in the past, so I I’ve only used google 2FA authentication app via my cell phone in the past. Anyway, I didn’t know hardware keys are so effective and space-saving.
I’m hooked on them now. No more cell phones or password-only protected websites where my passwords are so long and have so much entropy (impossible to memorize), I need an encrypted USB to store them safely. Now, I can just leave even my user/password combo on my laptop in plaintext, and even if my laptop gets stolen, and they have access to my user/pass combo, the 2FA hardware key is still required for authentication. Since it’s 3rd-party cheap solution (only $18), I wasn’t sure it would work on gmail and other google services, but it does, including google cloud! So, I got lucky with this 3rd-party cheaper alternative to google’s more expensive hardware key solution.
Anyway, this particular hardware key is limited in the websites it can protect - hopefully, they’ll add more website support in the future. Right now it protects against logins to a number of google products and services, like GCloud, and also Amazon, AWS, and a few other major websites, so access to any GCE VM instances via web browser login are denied, for example.
How did you get 2FA on your actual ssh-to-VM instance logins?
Is key rotation the same as replacing expired keys or just replacing keys after a certain amount of time has passed? Do you know if GCE has an automated process for that, so you don’t have to waste time if you forget to do it manually?
I’m going to try to set up key-rotation tonight, trying to be a little more productive today…that 2FA was not easy to set up because additional key info was missing. You can install Chromium on Ubuntu,but it’s a somewhat stripped-down version of Chrome, so my key doesn’t work on that browser, but miraculously it does work on firefox, which the key manufacturer didn’t bother to even mention that browser as being one of the supported browsers - I wonder if they even know that about their own product? Also had trouble because it’s not enough to just install hardware key by itself, your google account requires at least one additional secondary authentication method that involves your phone being linked to your gmail account, something which I wanted to avoid if my cell phone gets gets lost or stolen; i.e., google authenticator, android cell phone internal key (android 7.0 or later), phone SMS messaging, etc., just in case the primary (main) secondary method fails I suppose, and you get locked out of your account with no other way to get in as a secondary backup method since it’s a 2FA process, my guess.