How to Login to Ubuntu with Google Authenticator



The tutorial guides new users on how to improve Ubuntu security with Google’s multi-factor authentication. It involves installing the Google PAM package and the Google Authenticator app on the mobile device. After installing, Ubuntu’s configuration file is opened and updated. The setup prompts a series of questions to customize the security, such as time-based tokens…

This brief tutorial shows students and new users how to log in to Ubuntu 20.04 | 18.04 with Google two-factor authentication (Multi-factor authentication).

To improve Ubuntu security, you may want to enable multi-factor authentication.

Two-factor authentication enables users to provide specific details such as random code or OTP (Time Password ) to add another layer of security to standard usernames and passwords.

There are multiple ways to implement multi-factor authentication in Ubuntu. Google authentication is one of them. 

To get started with installing Google authentication, follow the steps below:

Install the Google PAM package

Google authentication is a PAM ( Pluggable Authentication Module) package that provides a mechanism to add extra layers of authentication on the Linux platform.

To install it, run the commands below:

sudo apt update
sudo apt install libpam-google-authenticator

Install the Google Authenticator app

To authenticate using a one-time code, you must install the Google Authenticator app on your mobile device(s). This is where the one-time code will be displayed.

Visit the app store using your mobile device and search for Google Authentication, or use the link below:

After installing it on your mobile device, go back to Ubuntu and configure it to log in using a one-time password.

Configure Ubuntu

Now that Google Authenticator is installed, open its configuration file by running the commands below;

sudo nano /etc/pam.d/common-auth

Then copy and paste the line below anywhere into the file and save.

auth required

Paste the line anywhere in the file.

# since the modules above will each just jump aroundauth    required              
# and here are more per-package modules (the "Additional" block)
auth    optional              
# end of pam-auth-update config
auth required

Save and exit.

After that, run the commands below to initialize Google Authentator.


Running the commands above will evoke a setup prompt to answer questions based on your environment.

Do you want authentication tokens to be time-based (y/n) y

A QR code will be displayed on the terminal, as shown below, and some information will be displayed right below it.

Since you cannot scan the QR code from your terminal windows, go to your mobile app and add a new profile.

Choose to enter the setup key instead of scanning a QR code.

Then, enter the new secret key and the confirmation code:

Your new secret key is: M7I5532H5ZG4QYYEIQIMXFENIMI
Your verification code is 6593222
Your emergency scratch codes are:

The emergency codes are backups you can use if you don’t have your mobile device. Please take note and store it in a secure but accessible location.

In most environments, answering yes to all the questions will be enough to provide the kind of security that works.

Do you want me to update your "/home/richard/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

After setting up, reboot your machine and test.

As you can see, you’ll still verify your username and password, but the third layer of a one-time code will also be needed to log in.

Enter the code from your mobile device to complete the verification.

That should do it!


This post showed you how to install and configure Google Authenticator on Ubuntu to provide an additional layer of security.

If you find any error above, please use the form below to report.

Like this:

One response to “How to Login to Ubuntu with Google Authenticator”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.