CentOS Two Factor Authentication with Google Authenticator

I used this guide: http://www.thefallenphoenix.net/2015/03/ssh-multi-factor-centos-7/

But like a idiot, I setup the root account, not my account.....

This will cause a issue if for some reason Google Authenticator doesn't work, right?

scottalanmiller

I used this guide: http://www.thefallenphoenix.net/2015/03/ssh-multi-factor-centos-7/

But like a idiot, I setup the root account, not my account.....

This will cause a issue if for some reason Google Authenticator doesn't work, right?

Yes, that would be a problem

This seems like it might be a better option

https://www.authy.com/integrations/ssh

This looks much, much easier to install/use:

https://vimeo.com/48266785

How To Install Authy And Configure Two-Factor Authentication For SSH
https://www.digitalocean.com/community/tutorials/how-to-install-authy-and-configure-two-factor-authentication-for-ssh

scottalanmiller

I don't like SMS as an authentication method because I've found SMS to be very unreliable. Here in Europe it is tons more reliable than in the US, but you don't want a tower outage or being in a "dead spot" to stop authentication. I worry enough about the "on the phone" app losing power (my phone is dead right this second, for example) or getting lost or whatever causing a lack of access but using SMS on the phone adds secondary network connectivity as an additional breaking point.

If I lose my phone, phone breaks, battery is dead, I lose cell coverage OR I lose network access I can't log in. That is more and more points of failure.

scottalanmiller

Also, SMS is not secure at all. I've had SMS hijacked before. So less than ideal as a security method. It's a second factor so that is not the end of the world, but I have definitely spent a year working in a situation where that would not have been a second factor at all and using it would have been nothing but a placebo.

@scottalanmiller said:

I don't like SMS as an authentication method because I've found SMS to be very unreliable. Here in Europe it is tons more reliable than in the US, but you don't want a tower outage or being in a "dead spot" to stop authentication. I worry enough about the "on the phone" app losing power (my phone is dead right this second, for example) or getting lost or whatever causing a lack of access but using SMS on the phone adds secondary network connectivity as an additional breaking point.

If I lose my phone, phone breaks, battery is dead, I lose cell coverage OR I lose network access I can't log in. That is more and more points of failure.

I completely agree. This is why I use Authy. No SMS.

Best part of all it is removes the requirement to use your phone.

scottalanmiller

Ah, Authy doesn't require SMS? Cool, will look into it more then.

@scottalanmiller I think your confusing Two Factor Authentication with SMS.

You can do 2FA with SMS, but it's not as common anymore.

Take a look at this link: http://security.stackexchange.com/questions/47901/how-does-authys-2fa-work-if-it-doesnt-connect-to-the-server

If Authy would integrate with Touch ID, that would be amazing!

This is also a good read: http://stackshare.io/posts/how-authy-built-a-fault-tolerant-two-factor-authentication-service/

@scottalanmiller said:

(my phone is dead right this second, for example)

Authy lets to sync across devices, so unless you phone/iPad/computer/Wife's Phone are all dead, then it still works!

scottalanmiller

@Aaron-Studer said:

@scottalanmiller I think your confusing Two Factor Authentication with SMS.

No, I definitely know what both are. I think you are quoting someone who was wrong in the article because someone said that to them there too trying to claim that a code over SMS isn't two factor authentication, but it most certainly is as they get pointed out in the article too.

All the images I see of Authy show it uses SMS codes as its second factor. Hence why I thought that that was what they used. If they don't use insecure SMS, why do they advertise it so much?

Also, you can use Authy completely offline

scottalanmiller

I see on their site that SMS is a fallback. They show way too many pictures of it, it make it look like SMS was the process, not an emergency fallback for people living in the dark ages.

This post is deleted!

Look what I just found!

This post is deleted!