This brief tutorial shows students and new users how to log in to Ubuntu 20.04 | 18.04 with Google two-factor authentication (Multi-factor authentication).
To improve Ubuntu security, you may want to enable multi-factor authentication.
Two-factor authentication enables users to provide specific details such as random code or OTP (Time Password ) to add another layer of security to standard usernames and passwords.
There are multiple ways to implement multi-factor authentication in Ubuntu. Google authentication is one of them.
To get started with installing Google authentication, follow the steps below:
Install the Google PAM package
Google authentication is a PAM ( Pluggable Authentication Module) package that provides a mechanism to add extra layers of authentication on the Linux platform.
To install it, run the commands below:
sudo apt update sudo apt install libpam-google-authenticator
Install the Google Authenticator app
To authenticate using a one-time code, you must install the Google Authenticator app on your mobile device(s). This is where the one-time code will be displayed.
Visit the app store using your mobile device and search for Google Authentication, or use the link below:
After installing it on your mobile device, go back to Ubuntu and configure it to log in using a one-time password.
Now that Google Authenticator is installed, open its configuration file by running the commands below;
sudo nano /etc/pam.d/common-auth
Then copy and paste the line below anywhere into the file and save.
auth required pam_google_authenticator.so
Paste the line anywhere in the file.
# since the modules above will each just jump aroundauth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
auth required pam_google_authenticator.so
Save and exit.
After that, run the commands below to initialize Google Authentator.
Running the commands above will evoke a setup prompt to answer questions based on your environment.
Do you want authentication tokens to be time-based (y/n) y
A QR code will be displayed on the terminal, as shown below, and some information will be displayed right below it.
Since you cannot scan the QR code from your terminal windows, go to your mobile app and add a new profile.
Choose to enter the setup key instead of scanning a QR code.
Then, enter the new secret key and the confirmation code:
Your new secret key is: M7I5532H5ZG4QYYEIQIMXFENIMI Your verification code is 6593222 Your emergency scratch codes are:
The emergency codes are backups you can use if you don’t have your mobile device. Please take note and store it in a secure but accessible location.
In most environments, answering yes to all the questions will be enough to provide the kind of security that works.
Do you want me to update your "/home/richard/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) n If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
After setting up, reboot your machine and test.
As you can see, you’ll still verify your username and password, but the third layer of a one-time code will also be needed to log in.
Enter the code from your mobile device to complete the verification.
That should do it!
This post showed you how to install and configure Google Authenticator on Ubuntu to provide an additional layer of security.
If you find any error above, please use the form below to report.