Secure your logins with two-factor authentication


© Lead Image © Kran Kanthawong,

© Lead Image © Kran Kanthawong,

Article from Issue 200/2017

Add an extra layer of protection with one-time passwords.

There really is no such thing as too much security. Thanks to the availability of easy-to-use password cracking tools and multicore processors, it is only a matter of time before a determined hacker breaks your password and gains access to your computer. If you're really concerned about unauthorized access to your computer, you should definitely add an additional layer of authentication (see the "What Is Two-Factor Authentication?" box).

One of the easiest mechanisms for implementing a two-step verification is the Google Authenticator service . You can use the service to issue a time-based authentication token to supplement the existing password challenge. Google Authenticator uses the IETF-approved Open Authentication Time-Based One-Time Password (OATH-TOTP) protocol that generates a password (usually a six-digit number) that's meant for a single use before it expires and is replaced by a new number.

The good thing about the TOTP protocol [3] is that it doesn't require an active connection to the Internet. The protocol uses the current timestamp along with a pre-shared key that's available on both the machine you're trying to log in to, as well as on your portable app used to create the six digit code. When you type in the code at the login prompt in the computer, it performs the same computation with the same pre-shared key and arrives at the same six-digit code, thus allowing you to log in.

The TOTP-based authentication mechanism integrates into the Linux Pluggable Authentication Module (PAM) system. PAM is the most popular authentication infrastructure used on Linux systems to authenticate a user. Once you've integrated the service with your distribution's login manager, in addition to your user password, you'll be prompted for the tokens before being allowed to log in. The tokens are only valid for a limited duration, which effectively means you can't reuse them. So even if an attacker manages to shoulder-surf a token, it'll expire soon and can't be used to gain access after a few seconds. The Google Authenticator app (Figure 1) will generate these OTPs on your Android device once it's been configured to do so for every user on your Linux machine.

Figure 1: For a security app, it's rather amusing that Google Authenticator doesn't have PIN protection to lock the app.

What is Two-Factor Authentication?

Broadly speaking, there are three different types of authentication factors. The most common is the use of a password or sometimes a security question to validate a user. Two-factor authentication is the use of another factor to verify the authenticity of the user who wants to gain access. Think of it as an extra layer of security. In addition to something the user knows, like the password, the user is prompted for something they have, like a security token. The use of passwords together with security tokens is known as two-factor authentication. Installations that can't afford security breaches use a third factor for authentication: Biometrics authentication is something you are, like your voice or fingerprint.

The most commonly used two-factor authentication mechanism is the use of passwords along with security token. The authentication tokens can be in the form of physical devices, such as smart cards, or can be doled out by software, such as mobile apps that generate PIN codes for authentication. Google Authenticator [1] (Figure 1) is an example of the latter. Note that while previous versions of the app were open source, the current releases now are all proprietary. For an open source option, check out FreeOTP [2] (Figure 2).

Figure 2: If you're weary of proprietary apps, you can use the open sourced FreeOTP app.

Configure Google Authenticator

To implement this multifactor authentication with Google Authenticator, you'll first need the Google Authenticator PAM module. The PAM mechanism allows for plugging different forms of authentication into a Linux computer.

The Google Authenticator PAM module is available in the official software repositories of major distributions like Ubuntu and Fedora. To install the package on Ubuntu, head to the terminal and type:

sudo apt-get install libpam-google-authenticator

If you are Fedora user, switch to the root user and type

dnf install google-authenticator

to install the PAM module for Google Authenticator.

Once the package has been installed, make sure you're logged in as the user you want to protect with the two-factor authentication. Now irrespective of the distribution, in the terminal window, type google-authenticator. This will initiate the process of creating a secret key for the user by asking you a bunch of questions. While it's safe to answer yes to all of them, it's a good idea to understand each question before making your final choice as these choices help balance security with ease-of-use.

The first question is a pretty safe one, and you should allow the command to update your Google Authenticator file by answering yes. As soon as you answer in the affirmative, you'll be shown a secret key and several emergency scratch codes. Make sure you note down these emergency scratch codes somewhere safe. They'll help you log in if you misplace the Android phone that generates the OTPs. Also remember that each scratch code can only be used once. The google-authenticator command will also generate a QR code that you can scan with the Google Authenticator app in your Android phone. Because we haven't installed the app yet, for the time being just note down the 16-digit code, which we'll use to manually add the account on the app.

You'll then be asked if you'd like to disallow multiple uses of the same authentication token. Although it might seem inconvenient at first, it is a good idea to restrict the use of a token, which forces you to wait 30 seconds between logins. You should agree to this limitation for maximum protection. The next question asks for permission to increase the time window for which tokens can be used from the default 1.5 minutes to four minutes. Although you can answer yes to this question to avoid any issues, type no for maximum security. To give you an idea, if you answer yes here, Google Authenticator will generate up to eight valid codes in a four minute window. By declining to increase the time window, you limit this to only three valid codes in a 1.5 minute window. In any case, if you notice any issues later on, refer to the "What's in the Hidden File?" box to increase the expiration time.

What's in the Hidden File?

When you run the google-authenticator helper script (Figure 3), it generates a hidden file under the user's home directory (~/.google-authenticator). This file contains all the configuration information you need to replicate and modify Google Authenticator's behavior. You can open the file in any text editor, and it contains the information in the following order:

<secret key>
<recovery codes>

Because it contains the 16-digit key and the scratch keys, it's a good idea to back up this file to a trusted location. To change your Google Authenticator settings, you can either rerun the google-authenticator helper script or simply edit the ~/.google-authenticator file. Options that are set in this file have a line in the options section. If you answered "no" to any particular option during the initial setup, the corresponding line is excluded from the file.

For example, to extend the code expiration window to four minutes, add the line WINDOW_SIZE 17. To change the threshold of rate limiting, find the line RATE_LIMIT 3 30 and adjust the numbers. The 3 indicates the number of attempts over a period of time, and the 30 indicates the period of time in seconds. Although it isn't prudent, you can also disable the use of recovery codes by removing the five eight-digit scratch codes at bottom of the file.

Figure 3: The google-authenticator helper script has a brief configuration process with verbose steps that are easy to comprehend.

The fourth and the last question asks you to limit the number of attempts for entering the authentication code. You should definitely enable this option as it helps prevent brute-force login attacks. Once enabled, the Google Authenticator PAM module will force the attacker to wait for 30 seconds after he's entered a wrong code thrice.

Now repeat this process for each user account that uses your computer. Ask everyone you share the computer with to log into their account and then run google-authenticator and make a note of their respective emergency scratch codes and the 16-digit code.

Plug In the Module

After you've generated the authentication code for all users, it's time to configure the login process to work with Google Authenticator. All you need to do is edit one file to add two-step authentication for all login attempts. The file you need to edit varies from one distribution to another. For example, if you are using Fedora, to prompt users for an authentication token before they are allowed to login into their desktop, fire up the terminal and type:

$ su  -
# nano /etc/pam.d/gdm-password

The file will have several lines with the top few beginning with the word auth (Figure 4). In a new line below the last auth line, enter the following:

Figure 4: If you add the call to the pam_google_authenticator module to the top of the relevant /etc/pam.d/gdm-password file, the distribution will ask for the OTP before prompting for your account password.
# To use OTPs generated by Google Authenticator
auth  required nullok

The nullok bit at the end of the line asks the distribution to let a user login even if they haven't run the google-authenticator command to set up two-factor authentication. Say you have two users, andrea and george, but have set up Google Authentication only for andrea. Thanks to nullok, while andrea will have to enter the OTP, george will be able to log in with just his password. Note however that while this is a useful flexibility to have while you're testing Google Authenticator, once everything works smoothly and you have no issues logging in with the two-factor authentication, it's advisable to force all users to log in through Google Authenticator only by removing nullok from the end of this command.

In Ubuntu, however, you can add this line to the common-auth file, which is included in various other PAM configuration files. Open the file in a text editor with sudo nano /etc/pam.d/common-auth. Now scroll to the end of the file and add the above given line along with the comment. By adding the Google Authenticator PAM module to the common-auth file, we've asked Ubuntu to use the one-time passwords for all login attempts, including calls to sudo.

Set Up the App

Your Linux distribution is now all set up for two-factor authentication. To receive the OTPs, you'll now have to install the Google Authenticator app on your Android mobile phone from Google Play. After installing the app, you'll have to add an account for all the users you've run the google-authenticator command for on your Linux installation.

As soon as you launch the app on your mobile device, it'll take you through a small tour advertising its use. When you've run through the tour (Figure 5), you'll be presented with a screen to add an account for a user you've already configured to use Google Authenticator in your Linux distribution. The app lets you add an account either by scanning a QR code or by manually adding the unique 16-digit key.

Figure 5: You can also enable two-factor authentication for your online Google accounts.

While scanning the QR code is the more convenient of the two options, we'll manually enter the code by tapping on the Enter a provided key option. In the following screen, first specify the name of the user for which this is meant, such as Mayank and then enter the 16-digit key you had made a note of earlier.

If you've keyed it in properly, the phone will vibrate to confirm, and the app will display a six digit code. Below this code will be the name of user that this code will help authenticate along with an animated timer that counts down to 30 seconds after which the app displays a new code.

If you've followed our advice and run the google-authenticator helper script for more than one user, you'll have to bring them to the attention of the Android app to generate OTPs for these other accounts as well. For this, first tap the + icon followed by the Enter a provided key and then repeat the process described above to first add a name to identify the user followed by their 16-digit secret key.

That's it, you've now successfully set up two-factor authentication for your Linux installation. The Android app will keep generating a new six-digit code every 30 seconds. When you log into your account, your distribution will prompt for your password before asking you to enter the authentication code for the account. At this point, enter the digits currently on display in the Android app.

Once you've logged in successfully, make sure you edit the /etc/pam.d/gdm-password or the /etc/pam.d/common-auth file and remove the nullok option to force logins through Google Authenticator. Also remember to create an account in the Android app for all the users on your installation. If you've lost your Android device that generates the OTPs, refer to the "Troubleshoot the Authenticator" box to wriggle out of a potentially sticky situation.

Troubleshoot the Authenticator

If you can't access the the Android device that generates OTPs, you can use one of the five scratch codes to log into the machine. Note that these recovery codes are for one-time use and cannot be reused. If you've changed phones, install the Google Authenticator app on the new mobile and simply use the secret key in the ~/.google-authenticator file to generate OTPs.

If, however, you've misplaced the Android device that doles out the OTPs, you should immediately generate a new secret key. To do this, once you've logged in using the scratch codes, first delete the existing ~/.google-authenticator file and then rerun the google-authenticator helper script to generate a new ~/.google-authenticator file. Now install the Google Authenticator app on a new mobile and add the newly generated secret key.

Going through the additional security prompt might seem like a hassle at first. However, if you're using the computer in a public place, you'll quickly learn to appreciate the benefits of the two-factor authentication mechanism.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More