Fork me on GitHub

Setup U2F for Teleport Cloud


This guide will walk you through setting up second factor authentication for local accounts.

Step 1/3. Install client libraries

Install client libraries:

curl -O

verify signature

echo "$(curl" | sha256sum --check
tar -xzf teleport-ent-v8.0.7-linux-amd64-bin.tar.gz
cd teleport-ent
sudo ./install

Login with a teleport user with editor privileges:

tsh logs you in and receives short-lived certificates

tsh login [email protected]

try out the connection

tctl get nodes

Step 2/3. Configure auth

Create a YAML file cap.yaml:

Replace with the name of your Teleport cloud cluster:

kind: cluster_auth_preference
  name: cluster-auth-preference
  # on will support both TOTP and U2F. You can set it just to 'u2f' to enforce U2F only second factor.
  second_factor: 'on'
  type: local
    app_id: ''
    - ''
    - ''
    - ''
    - ''
version: v2

Create a resource:

tctl create -f cap.yaml

Step 3/3. Add U2F device

Try out the U2F integration using CLI:

tsh mfa ls

MFA device name Type Added at Last used

---------------- ---- ------------------------------- -------------------------------

android OTP OTP Tue 08 Dec 2020 01:29:42 PM PST Tue 15 Dec 2020 01:29:42 PM PST

yubikey U2F Wed 09 Dec 2020 02:00:13 PM PST Wed 16 Dec 2020 02:00:13 PM PST

Add U2F device:

tsh mfa add

Adding a new MFA device.

Choose device type (1 - OTP, 2 - U2F): 2

Enter device name: solokey

Tap any *registered* security key or enter an OTP code: <tap>

Tap your *new* security key... <tap>

MFA device "solokey" added.

You can now login with Web UI or CLI using U2F.

Have a suggestion or can’t find something?