How to Set Up Two-Factor Authentication in Ubuntu

Two Factor Authentication Ubuntu

Two-factor authentication is a great answer to the many problems with traditional passwords. It’s a great way to add an additional level of security to your accounts. Now you can apply two-factor authentication to your Linux desktop.

To start, you’re going to need the Google Authenticator app for your Android device. It’s a simple app for generating authentication codes that correspond to linked devices.

Install Google Authenticator Linux

With Google Authenticator installed on your phone, it’s time to set it up on your Linux desktop. There’s a package that you need to install in order to integrate Linux’s existing authentication system with the Google Authenticator.

Linux Google Authenticator Configuration

Now that you have everything in place, you can start configuring it all to work together. Open up the file at “/etc/pam.d/common-auth” with sudo in your favorite text editor. Locate the line below.

Right above that line, add in this one:

Save that and close the file.

Every user on the computer will need to run the google-authenticator command. This will run you through the process of setting up the authentication for the user. If you don’t do it, the user won’t be able to log in. After you set up the first one, you can set up the others with sudo su username.

After you run the command, it will begin asking you questions about how you want your authentication set up. The questions explain themselves fairly thoroughly. For security reasons, the recommendation of this guide is to answer: yes, yes, no, no, yes. Of course, you can choose something else, if it’s a better fit for you.

After you answer all the questions, the script will present you with a series of codes and a key. The key is what you will use to set up the Google Authenticator app on Android. The “scratch codes” are one-time-use codes that you can use to access your computer if you don’t have your phone. Print or write those down. You can use the other code immediately, if you need to.

Google Authenticator Android

Open up your Android app and tap on “Begin.” Then, select “Enter a provided key.” Create a name for your account and type in the secret key that the Linux script provided.

Google Authenticator Setup

After that you’ll need to open up the Google Authenticator app on Android and generate a code every time you’re asked to provide your password on Linux. Your Linux PC is more secure against password-based attacks.  Take a look at what the login screen looks like with two-factor authentication enabled.

Two factor login Linux

You’ll even need the authenticator to use root privileges with sudo, too.

two factor sudo

All of this amounts to much more security for your system, and that’s a good thing.  Of course, you have to decide what the right balance is for you.

10 comments

  1. Does anybody else besides Google offer 2FA?

    The assumption of 2FA is that one has a smartphone. I guess those without one are out of luck, naked and exposed.

    • Google Authenticator is based on some kind of pseudorandom generator, which do not need internet connection. So you can still use it even it’s offline.

      • This may be good for remote access like SSH. But if PC is offline 2FA would not work as the auth-server connection is required. Am I wrong with that?

        • AFAIK, the authentication is based on a secret key and the time. It doesn’t connect to any server, so it will work fine if PC is offline. The only time when it might fail is when the system clock is out of sync (like CMOS battery is running out of juice) etc.

  2. A nirce article, very well posted! But I have some doubts about the security. Tow factor security implies to use a doble validation. For instance, user password and after successfully introduced a token code received on mobile device or email, etc. In that case just have a password generated by the APP. And if also works offline is because the passwords are not unique. Are valid algorithms that can be generated in both platforms. This is less secure, I think that a traditional password. What do you think about ?

  3. i wouldn’t trust google for 2 factor authentication on my computer. use veracrypt for your drive, and default to encrypt your /home. if you trust google that much then why 2 factor authentication at all?

    • 2FA is used not to protect against Google specifically but against the thousands of other nogoodniks out there. The idea is analogous to hiring a fox to guard your hen house against wolves and other foxes.

  4. Hi I am unable to login after this feature, accidentally I did not run Google authenticator on my phone to add code. So how can I login. Please help its urgent. Thanks in advance.

Comments are closed.

Sponsored Stories