How to Enable 2FA/TOTP on a VPS 

How to enable 2FA/TOTP on a VPS (head image)

This guide will walk you through the process of how to enable 2FA/TOTP on a VPS on your VPS. Before we delve into the ‘how,’ let us address the ‘what’ and ‘why’ to set the stage for a more secure and resilient virtual environment. 

What is 2FA/TOTP?

Two-factor authentication (2FA) is a security process that adds an additional layer of verification beyond just a password. Typically, it involves something you know (like a password) and something you have (like a mobile device). Time-based One-Time Passwords (TOTP) represent a specific form of 2FA where a unique password is generated at regular intervals, usually 30 seconds, providing a dynamic and time-sensitive element to the authentication process. 

Why Enable 2FA/TOTP on Your VPS?

The digital landscape is full of potential threats, and VPS servers are no exception. Enabling 2FA/TOTP on your VPS enhances your server’s security posture significantly. Passwords alone are susceptible to various attacks, such as brute force and phishing. By introducing a second layer of authentication, you fortify your defense against unauthorized access, reducing the risk of data breaches and potential compromises. 

If you want to learn more about securing your VPS, check out our guide “Free Tools to Monitor & Test the Security of Your Server or VPS”. 

Prerequisites

Before embarking on the journey to enable Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your Virtual Private Server (VPS), ensure that you have the following prerequisites in place. 

VPS Access

To implement security measures, you must establish a connection to your server via SSH and have administrative access to your VPS. Ensure that you have the necessary credentials and permissions to make configuration changes. If you are not the administrator, coordinate with the person or team responsible for VPS management. 

Not sure if you are the root – or what a “root” is? No problem! We got you covered with “A Practical Guide to Superuser Accounts, sudo & root”. 

PuTTY – A Reliable SSH Client

Secure Shell (SSH) is a fundamental protocol for accessing and managing your VPS securely. PuTTY is a widely used and reliable SSH client for Windows, which you can download from PuTTY Downloads(https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). 

 If you are using a different SSH client, make sure it is configured and ready for connecting to your VPS. 

Setting Up SSH Key Authentication

Configuring SSH Key Authentication is the first step in securing your Virtual Private Server (VPS). For a detailed guide on how to set up SSH Key Authentication, please refer to our existing guide on “How to Use SSH Keys with Your Server”. 

 Once you have completed the SSH Key Authentication setup, return here to continue with the process of enabling Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your VPS. 

Installing and Configuring TOTP on Your VPS

Now that SSH Key Authentication is in place, let us proceed with the installation and configuration of Time-based One-Time Passwords (TOTP) for an added layer of security on your VPS. 

Installing Required Packages to Enable TOTP

Begin by installing the necessary packages to enable TOTP. The exact commands may vary based on your VPS’s operating system. Refer to your system’s package manager documentation for guidance. 

Example commands for a Debian-based system: 

sudo apt-get update
sudo apt-get install libpam-google-authenticator

Configuring TOTP for SSH

Once the required packages are installed, configure TOTP for SSH. Edit the SSH daemon configuration file, usually located at `/etc/ssh/sshd_config`, and ensure the following lines are present: 

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Save the changes and restart the SSH service: 

sudo service ssh restart

Securing Your SSH Configuration

To enhance security, disable password authentication for SSH. Open the SSH configuration file again and set: 

PasswordAuthentication no

Restart the SSH service to apply the changes. 

sudo service ssh restart

Setting Up TOTP on Your Mobile Device

Now, let us configure the Time-based One-Time Passwords (TOTP) on your mobile device. This step ensures a seamless and secure authentication process for accessing your Virtual Private Server (VPS). 

Installing a TOTP Authenticator App

Begin by installing a TOTP Authenticator app on your mobile device. Google Authenticator is a popular choice, but alternatives like Authy or Microsoft Authenticator work just as well. Visit your device’s app store: 

 Apps for Android: 

Google Authenticator 

Microsoft Authenticator 

Authy 

Apps for iOS: 

Google Authenticator 

Microsoft Authenticator 

Authy 

Download and install the app. 

Adding Your VPS to the Authenticator App

1. Open the TOTP Authenticator app. 

2. Tap on the option to add a new account or scan a barcode. 

3. On your VPS, run the following command to generate a QR code for the TOTP setup: 

google-authenticator 

4. Scan the QR code with your TOTP Authenticator app or manually enter the provided key. 

Generating and Saving Backup Codes

As a precaution, generate and save backup codes. These codes act as a failsafe in case you lose access to your mobile device. During the setup process (step 3), you will be prompted to generate backup codes. Save these codes in a secure location, such as a password manager or a physical backup. 

With TOTP set up on your mobile device, your VPS now requires both SSH key authentication and a time-sensitive code from your authenticator app for access, significantly enhancing the security of your server. 

Testing TOTP Authentication

Before concluding the setup, it is particularly important to test TOTP authentication to confirm its effectiveness. Attempt to SSH into your VPS, and you should be prompted for both your SSH key and the TOTP generated by your authenticator app. 

ssh your_username@your_vps_ip 

If successful, you have successfully configured Time-based One-Time Passwords on your VPS. Now proceed to the next steps to finalize the implementation and secure your server further. 

Enforcing 2FA/TOTP

Now that Time-based One-Time Passwords (TOTP) are configured, it is time to enforce Two-Factor Authentication (2FA) on your VPS. This ensures that accessing your server requires both SSH key authentication and the dynamic TOTP generated by your mobile device. 

Modifying SSH Configuration 

Open your SSH configuration file, typically located at `/etc/ssh/sshd_config`, and make sure the following settings are configured: 

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no

Save the changes and restart the SSH service: 

sudo service ssh restart

These settings ensure that SSH requires both public key authentication and the TOTP challenge. 

Disabling Password Authentication

To strengthen security further, disable password authentication entirely. Confirm that the following line is present in your SSH configuration file: 

PasswordAuthentication no 

Again, restart the SSH service to apply the changes. 

sudo service ssh restart 

Adjusting Security Group/Firewall Rules 

If your VPS is behind a firewall or security group, ensure that the necessary ports for SSH (typically port 22) are open. Additionally, confirm that the security group or firewall allows traffic for the chosen TOTP port (often UDP port 123). Adjust these rules as needed to align with your server’s specific setup. 

With these edits, your VPS is now enforcing Two-Factor Authentication with Time-based One-Time Passwords, significantly enhancing the security posture of your server. Ensure successful authentication by testing access with both the SSH key and TOTP requirements.

Conclusion

As we conclude this guide on enabling Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your Virtual Private Server (VPS), let us recap the benefits and consider some concluding thoughts on enhancing the security of your server. 

Recap of the Benefits of Enabling 2FA/TOTP 

Enabling 2FA/TOTP on your VPS provides a robust defense against unauthorized access and potential security threats. By combining SSH key authentication with the dynamic element of TOTP, you have created a multi-layered security approach. The benefits include: 

  • Enhanced Security: Two layers of authentication significantly reduce the risk of unauthorized access, even if one factor is compromised. 
  • Protection Against Brute Force Attacks: The dynamic nature of TOTP codes makes brute force attacks more challenging to execute successfully. 
  • Securing Sensitive Data: If your VPS handles sensitive data or critical applications, 2FA/TOTP adds an extra shield, ensuring the integrity and confidentiality of your information. 
Scroll to Top