Skip to content

Two-Factor Authentication

Today we will learn about Two-Factor Authentication (2FA), its importance, and how to set it up for enhanced security.

Explanation

Two-Factor Authentication (2FA) adds an extra layer of security to your accounts by requiring two forms of verification: something you know (password) and something you have (phone, hardware token).

Key Concepts:

Factors: Knowledge (password), Possession (phone/app), Inherence (biometrics).
Methods: SMS, authenticator apps (e.g., Google Authenticator), hardware keys (e.g., YubiKey).
Time-Based One-Time Passwords (TOTP): Codes that expire every 30 seconds.

Technical:

How 2FA Works:

After entering password, the system prompts for a second factor. For TOTP, the app generates a code based on a shared secret and current time.

Security Benefits:

Protects against password breaches, phishing, and brute-force attacks. Even if passwords are stolen, accounts remain secure.

How to setup one properly:

General Best Practices

  1. Use authenticator apps over SMS (SMS can be intercepted).
  2. Enable 2FA on all critical accounts.
  3. Back up recovery codes securely.
  4. Use hardware keys for maximum security.

Client (Enabling 2FA)

Set up 2FA on your accounts.

Linux/macOS

  1. Install an authenticator app like Aegis or Authy.
  2. Ubuntu: sudo apt install aegis-authenticator or download from app store.
  3. macOS: Download from App Store.
  4. For accounts: Go to security settings, enable 2FA, scan QR code with app.
  5. For hardware: Use YubiKey with Yubico Authenticator.

Windows

  1. Install Microsoft Authenticator or Google Authenticator from Microsoft Store.
  2. Enable 2FA in account settings (e.g., Microsoft, Google).
  3. For hardware: Use YubiKey with Windows Hello or dedicated apps.

Note: Store backup codes in a password manager.

Server/Account Setup

For systems or services you manage:

Linux

  1. For SSH: Use Google Authenticator PAM module.
  2. Install: sudo apt install libpam-google-authenticator
  3. Run google-authenticator to set up.
  4. Edit /etc/pam.d/sshd to include auth required pam_google_authenticator.so
  5. Restart SSH: sudo systemctl restart ssh

Windows

  1. Enable 2FA in Active Directory or Azure AD.
  2. For servers: Use Windows Hello for Business or third-party MFA.

Note: Test 2FA thoroughly to avoid lockouts.

Samples:

Example TOTP Code

123456

(Generated by app, valid for 30 seconds.)

Example QR Code URL (for setup)

otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example

(Scan with authenticator app.)

Example PAM Configuration (/etc/pam.d/sshd)

auth required pam_google_authenticator.so
auth required pam_unix.so
  • Use apps like Authy or Aegis.
  • Prefer hardware keys like YubiKey.
  • Avoid SMS-based 2FA.
  • Regularly rotate secrets if possible.