Docker Hub Authentication: Is 2021 the year you enable 2FA on Docker Hub?

Judging by the reactions I saw in the audience during my past talks on “Securing Containers By Breaking In”, as well as recent reactions on Twitter, not many know about Docker Hub’s fairly recent multi-factor authentication feature.

In October 2019, in order to improve the Docker Hub authentication mechanism, Docker rolled out a beta release of two-factor authentication (also known as 2FA). This new capability further strengthens the software supply-chain security of the primary and largest hub of docker container images and applications.

One of the topics I discussed during my talks was the state of 2FA availability for maintainers and developers across the npm registry and the Docker Hub registry. I was aiming to gauge the audience’s reaction to the following slide which declares that not a single account on Docker Hub had enabled 2FA!

What’s behind this number?

Simply put, Docker Hub authentication didn’t support multi factor mechanisms up until October 2019. If we look at other registries to draw some comparisons – data shared about the npmjs registry in January 2020 shows that only 9.27% of all developers enabled 2FA. Given the fact that 2FA was introduced on npmjs in late 2017, developers are lagging behind on their software supply chain security.

Docker Hub rolling 2FA

Given Docker Hub’s position as the primary software registry for container images, hosting millions of docker images, software supply chain security clearly needs to be taken seriously.

The Docker team’s announcement on the Github repository about their plans to roll out 2FA support for Docker Hub authentication was warmly welcomed by the community.

In October 2019 the beta version of 2FA support for Docker Hub was officially announced, and available for users to enable.

Enable Two-Factor Docker Hub Authentication

We have previously outlined 10 Docker Image Security Best Practices to follow. The support of 2FA in Docker Hub authentication is a significant step forward in docker image security and software supply-chain. It is in your project’s best interest if you enabled it. This way, you reduce the risk that an attacker can compromise your account and inject malicious docker container images to the container registry.

Your container image security

The latest Docker version now supports a docker scan command, which integrates behind the scenes with Snyk’s vulnerability database, so you get rich security information straight from the CLI.

Try it out yourself:

docker scan node:latest --file Dockerfile

How many vulnerabilities did you find?
What are you going to do about it now? 😉

You can read about more advanced command line usage for docker scan in Docker’s own blog article.

The Docker Desktop integration with Snyk goes further than just the Docker client. Docker integrated Snyk directly into the Docker Hub registry, providing full observability into security vulnerabilities for docker images pushed to Docker Hub.

Snyk is free for open-source and provides a free tier for private projects too, so you can sign up with Snyk to test and fix your Docker images. Of course, don’t stop there – import your application projects too!

More Docker security practices to follow up on: