diff --git a/docker-hub/access-tokens.md b/docker-hub/access-tokens.md index 9edfafb561..26c6657ea3 100644 --- a/docker-hub/access-tokens.md +++ b/docker-hub/access-tokens.md @@ -6,9 +6,16 @@ keywords: docker hub, hub, security, PAT, personal access token Docker Hub lets you create personal access tokens as alternatives to your password. You can use tokens to access Hub images from the Docker CLI. -Access tokens are useful in cases such as building integrations since -you can issue multiple tokens – one for each integration – -and revoke them at any time. +Using personal access tokens provides some advantages over a password: +* You can investigate when an access token was used last, and disable or delete it if you find any suspicious activity. +* When logged in with an access token, you can't perform any admin activity on the account, including changing the password. + +Access tokens are also useful in building integrations, since you can issue +multiple tokens – one for each integration – and revoke them at +any time. + +> Note: If you have [two-factor authentication (2FA)](/2fa) enabled on your account, you must create at least one personal access token. Otherwise, you will be unable to log in to your account from the Docker CLI. +{: .important } ## Create an access token @@ -52,4 +59,10 @@ select multiple tokens to delete them all once. You can use an access token anywhere that requires your Docker Hub password. -For example, when logging in from your Docker CLI client (`docker login --username `), omit the password in the login command. When you're prompted for a password, enter your token instead. +When logging in from your Docker CLI client (`docker login --username `), +omit the password in the login command. When you're prompted for +a password, enter your token instead. + +If you have 2FA enabled, you must use a personal access token when logging in +from the Docker CLI. If you don't have it enabled, this is an optional (but +more secure) method of authentication. diff --git a/docker-id/images/login2019.png b/docker-id/images/login2019.png new file mode 100644 index 0000000000..e09621ebf4 Binary files /dev/null and b/docker-id/images/login2019.png differ diff --git a/docker-id/index.md b/docker-id/index.md index cf83aa998a..4adf648c92 100644 --- a/docker-id/index.md +++ b/docker-id/index.md @@ -41,13 +41,13 @@ Your Docker ID becomes your user namespace for hosted Docker services, and becom Once you register and verify your Docker ID email address, you can log in to [Docker Hub](https://hub.docker.com) and [Docker Support](https://support.docker.com). -![Login](images/login.png) +![Login](images/login2019.png) You can also log in using the `docker login` command. (You can read more about `docker login` [here](/engine/reference/commandline/login.md).) > **Warning**: > When you use the `docker login` command, your credentials are -stored in your home directory in `.docker/config.json`. The password is base64 -encoded in this file. If you require secure storage for this password, use the -[Docker credential helpers](https://github.com/docker/docker-credential-helpers). +stored in your home directory in `.docker/config.json`. The password is base64-encoded in this file. +> +> For extra security, you can use a [personal access token](/docker-hub/access-tokens) to log in instead, which is still encoded in this file but doesn't allow admin actions (such as changing the password). If you require secure storage for this password or personal access token, use the [Docker credential helpers](https://github.com/docker/docker-credential-helpers). {:.warning}