Two-factor authentication (2FA) is a method of requiring more than one credential to prove your identity. It adds an extra layer of security to your system by requiring users to provide more than one piece of information to authenticate successfully to an account or Linux host. The additional information may be a one-time password (OTP) sent to your cell phone via SMS or credentials from an app like Google Authenticator, Twilio Authy, or FreeOTP .
Important Information!
Before proceeding with the steps outlined in this post, please be aware of the following disclaimer:
- The information provided in this blog post is for educational and informational purposes only. The steps and instructions described here are based on experience, but individual results may vary.
- The readers are solely responsible for their actions and decisions when implementing the steps mentioned in this post. The author does not assume any responsibility for errors, omissions, or any adverse outcomes that may occur.
- It is crucial to exercise caution and judgment while applying the information provided. If you are unsure about any of the steps, consider seeking professional advice or conducting further research.
- The author is not liable for any direct, indirect, incidental, or consequential damages or losses that may result from following the instructions in this blog post.
- All external links and resources mentioned in this post are for reference purposes only, and the author does not endorse or guarantee the accuracy, quality, or safety of the content on external websites.
Step 1: Install The Google Authenticator
Log into your Debian Linux server and issue the following command to install Google Authenticator from the default Debian package repository as the root user:
apt install libpam-google-authenticator
Step 2: Configure The Google Authenticator For Your User
Run the google-authenticator command to create a new secret key in your 2FA user’s home directory:
google-authenticator
Answer the questions about your system and needs.
Scan the QR code with Google Authenticator on your cell phone!
Step 3: Configure The PAM For GDM
On desktop systems update the PAM configuration of the GDM as the root user.
nano /etc/pam.d/gdm-password
In the first lines of the file insert the following PAM module:
auth required pam_google_authenticator.so nullok
Restart the GDM service, it will force you to re-login! If there was any error or mistake you lock yourself out from the system here!
systemctl restart gdm
Step 4: Log In
At the login screen you must provide the verification code at first, then your password in the second form.
Conclusion
You’ve successfully set up two-factor authentication with Google Authenticator on Debian Linux. Though it is another layer of security to the system, it comes with some drawbacks and annoyances.
Every time the computer screen is locked the verification code must be provided as well.
The cell phone or other OTP device must be around to log in to the system.
Tom's IT Cafe 
Does this just work for one user? Ie multiple users would have different phone numbers.
I also assume it would make sense to have an Encrypted Hard Drive and possibly a bios password?
Just in case your machine is stolen
LikeLiked by 1 person
Yes, the code will be different for every user. When you run the authenticator agent, you must do it as a user.
Encryption of data in rest and in transit is always a good idea.
LikeLiked by 1 person
Thank you for clarifying. Very interesting article.
LikeLiked by 1 person
You’re welcome. And happy hacking!
LikeLike