Two‑Factor Authentication (2FA) for SSH and Web Apps

Introduction

Passwords can be stolen. Two‑factor authentication (2FA) requires a second factor (e.g., TOTP code) to log in. This guide covers 2FA for SSH and web apps.

1. 2FA for SSH using Google Authenticator

Install libpam-google-authenticator, run google-authenticator for your user, and configure PAM.

2. Configure PAM for SSH

Edit /etc/pam.d/sshd: add auth required pam_google_authenticator.so.

3. Update SSHD Config

Set ChallengeResponseAuthentication yes and AuthenticationMethods publickey,keyboard-interactive.

4. Testing SSH 2FA

Log out and back in – you will be prompted for verification code and password/key.

5. Backup Codes

Save the emergency scratch codes generated by google-authenticator.

6. 2FA for WordPress

Install plugin “Google Authenticator – Two Factor Authentication” (miniOrange or WP 2FA).

7. 2FA for Nextcloud

Built‑in TOTP support – enable via security settings.

8. 2FA for Custom Web Apps

Use libraries like otphp (PHP) or speakeasy (Node.js) to implement TOTP.

9. U2F / WebAuthn

Hardware tokens (YubiKey) provide phishing‑resistant 2FA – supported by many apps.

10. Recovery Procedures

Document how to bypass 2FA if a user loses their device (temporary codes, admin override).

11. Enforce 2FA for All Users

Use PAM modules or application policies to require 2FA.

12. Time Synchronisation

TOTP requires correct time; run ntp or chrony on your VPS.

13. 2FA for Admin Panels

At minimum, protect admin interfaces (phpMyAdmin, Portainer, etc.) with 2FA.

14. Backup 2FA Methods

Offer SMS as fallback but note its weaknesses. Prefer TOTP.

15. Multi‑factor for API Tokens

For APIs, issue time‑limited tokens and rotate them.

16. Audit 2FA Logs

Monitor failed 2FA attempts; they may indicate compromised credentials.

17. Combine with SSH Key + 2FA

This protects even if your private key is stolen.

18. Mobile Apps for TOTP

Recommend Google Authenticator, Authy, or Microsoft Authenticator.

19. Emergency CLI Access

Keep a separate SSH key with no 2FA for break‑glass scenarios, stored securely offline.

20. Regular Rotation of Scratch Codes

Regenerate backup codes during security reviews.

Conclusion

Enable 2FA for SSH and all web control panels immediately. It drastically reduces the risk of unauthorised access.