{"id":17854,"date":"2023-10-12T08:00:00","date_gmt":"2023-10-12T06:00:00","guid":{"rendered":"https:\/\/contabo.com\/blog\/?p=17854"},"modified":"2026-02-03T08:05:35","modified_gmt":"2026-02-03T07:05:35","slug":"how-to-enable-2fa-totp-on-a-vps","status":"publish","type":"post","link":"https:\/\/contabo.com\/blog\/how-to-enable-2fa-totp-on-a-vps\/","title":{"rendered":"How to Enable 2FA\/TOTP on a VPS\u00a0"},"content":{"rendered":"\n
\"How<\/figure>\n\n\n\n
<\/div>\n\n\n\n

This guide will walk you through the process of how to enable 2FA\/TOTP on a VPS on your VPS. Before we delve into the ‘how,’ let us address the ‘what’ and ‘why’ to set the stage for a more secure and resilient virtual environment. <\/p>\n\n\n\n

What is 2FA\/TOTP?<\/h2>\n\n\n\n

Two-factor authentication (2FA) is a security process that adds an additional layer of verification beyond just a password. Typically, it involves something you know (like a password) and something you have (like a mobile device). Time-based One-Time Passwords (TOTP) represent a specific form of 2FA where a unique password is generated at regular intervals, usually 30 seconds, providing a dynamic and time-sensitive element to the authentication process. <\/p>\n\n\n\n

Why Enable 2FA\/TOTP on Your VPS?<\/h2>\n\n\n\n

The digital landscape is full of potential threats, and VPS servers are no exception. Enabling 2FA\/TOTP on your VPS enhances your server’s security posture significantly. Passwords alone are susceptible to various attacks, such as brute force and phishing. By introducing a second layer of authentication, you fortify your defense against unauthorized access, reducing the risk of data breaches and potential compromises. <\/p>\n\n\n\n

If you want to learn more about securing your VPS, check out our guide \u201cFree Tools to Monitor & Test the Security of Your Server or VPS<\/a>\u201d. <\/p>\n\n\n\n

Prerequisites<\/h2>\n\n\n\n

Before embarking on the journey to enable Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your Virtual Private Server (VPS), ensure that you have the following prerequisites in place. <\/p>\n\n\n\n

VPS Access<\/h3>\n\n\n\n

To implement security measures, you must establish a connection to your server via SSH<\/em><\/a> and have administrative access to your VPS. Ensure that you have the necessary credentials and permissions to make configuration changes. If you are not the administrator, coordinate with the person or team responsible for VPS management. <\/p>\n\n\n\n

Not sure if you are the root \u2013 or what a \u201croot\u201d is? No problem! We got you covered with \u201cA Practical Guide to Superuser Accounts, sudo & root<\/a>\u201d. <\/p>\n\n\n\n

PuTTY – A Reliable SSH Client<\/h3>\n\n\n\n

Secure Shell (SSH) is a fundamental protocol for accessing and managing your VPS securely. PuTTY is a widely used and reliable SSH client for Windows, which you can download from PuTTY Downloads(https:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/latest.html). <\/p>\n\n\n\n

 If you are using a different SSH client, make sure it is configured and ready for connecting to your VPS. <\/p>\n\n\n\n

Setting Up SSH Key Authentication<\/h2>\n\n\n\n

Configuring SSH Key Authentication is the first step in securing your Virtual Private Server (VPS). For a detailed guide on how to set up SSH Key Authentication, please refer to our existing guide on \u201cHow to Use SSH Keys with Your Server<\/a>\u201d. <\/p>\n\n\n\n

 Once you have completed the SSH Key Authentication setup, return here to continue with the process of enabling Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your VPS. <\/p>\n\n\n\n

Installing and Configuring TOTP on Your VPS<\/h2>\n\n\n\n

Now that SSH Key Authentication is in place, let us proceed with the installation and configuration of Time-based One-Time Passwords (TOTP) for an added layer of security on your VPS. <\/p>\n\n\n\n

Installing Required Packages to Enable TOTP<\/h3>\n\n\n\n

Begin by installing the necessary packages to enable TOTP. The exact commands may vary based on your VPS’s operating system. Refer to your system’s package manager documentation for guidance. <\/p>\n\n\n\n

Example commands for a Debian-based system: <\/p>\n\n\n\n

sudo apt-get update<\/code><\/pre>\n\n\n\n
sudo apt-get install libpam-google-authenticator<\/code><\/pre>\n\n\n\n
Configuring TOTP for SSH<\/h3>\n\n\n\n
Once the required packages are installed, configure TOTP for SSH. Edit the SSH daemon configuration file, usually located at `\/etc\/ssh\/sshd_config`, and ensure the following lines are present: <\/p>\n\n\n\n
ChallengeResponseAuthentication yes\nAuthenticationMethods publickey,keyboard-interactive<\/code><\/pre>\n\n\n\n
Save the changes and restart the SSH service: <\/p>\n\n\n\n
sudo service ssh restart<\/code><\/pre>\n\n\n\n
Securing Your SSH Configuration<\/h3>\n\n\n\n
To enhance security, disable password authentication for SSH. Open the SSH configuration file again and set: <\/p>\n\n\n\n
PasswordAuthentication no<\/code><\/pre>\n\n\n\n
Restart the SSH service to apply the changes. <\/p>\n\n\n\n
sudo service ssh restart<\/code><\/pre>\n\n\n\n
Setting Up TOTP on Your Mobile Device<\/h2>\n\n\n\n
Now, let us configure the Time-based One-Time Passwords (TOTP) on your mobile device. This step ensures a seamless and secure authentication process for accessing your Virtual Private Server (VPS). <\/p>\n\n\n\n
Installing a TOTP Authenticator App<\/h3>\n\n\n\n
Begin by installing a TOTP Authenticator app on your mobile device. Google Authenticator is a popular choice, but alternatives like Authy<\/a> or Microsoft Authenticator<\/a> work just as well. Visit your device’s app store: <\/p>\n\n\n\n
 Apps for Android: <\/p>\n\n\n\n
Google Authenticator<\/a> <\/p>\n\n\n\n
Microsoft Authenticator<\/a> <\/p>\n\n\n\n
Authy<\/a> <\/p>\n\n\n\n
Apps for iOS: <\/p>\n\n\n\n
Google Authenticator<\/a> <\/p>\n\n\n\n
Microsoft Authenticator<\/a> <\/p>\n\n\n\n
Authy<\/a> <\/p>\n\n\n\n
Download and install the app. <\/p>\n\n\n\n
Adding Your VPS to the Authenticator App<\/h3>\n\n\n\n
1. Open the TOTP Authenticator app. <\/p>\n\n\n\n
2. Tap on the option to add a new account or scan a barcode. <\/p>\n\n\n\n
3. On your VPS, run the following command to generate a QR code for the TOTP setup: <\/p>\n\n\n\n
google-authenticator <\/p>\n\n\n\n
4. Scan the QR code with your TOTP Authenticator app or manually enter the provided key. <\/p>\n\n\n\n
Generating and Saving Backup Codes<\/h3>\n\n\n\n
As a precaution, generate and save backup codes. These codes act as a failsafe in case you lose access to your mobile device. During the setup process (step 3), you will be prompted to generate backup codes. Save these codes in a secure location, such as a password manager or a physical backup. <\/p>\n\n\n\n
With TOTP set up on your mobile device, your VPS now requires both SSH key authentication and a time-sensitive code from your authenticator app for access, significantly enhancing the security of your server. <\/p>\n\n\n\n
Testing TOTP Authentication<\/h3>\n\n\n\n
Before concluding the setup, it is particularly important to test TOTP authentication to confirm its effectiveness. Attempt to SSH into your VPS, and you should be prompted for both your SSH key and the TOTP generated by your authenticator app. <\/p>\n\n\n\n
ssh your_username@your_vps_ip <\/code><\/pre>\n\n\n\n
If successful, you have successfully configured Time-based One-Time Passwords on your VPS. Now proceed to the next steps to finalize the implementation and secure your server further. <\/p>\n\n\n\n
Enforcing 2FA\/TOTP<\/h2>\n\n\n\n
Now that Time-based One-Time Passwords (TOTP) are configured, it is time to enforce Two-Factor Authentication (2FA) on your VPS. This ensures that accessing your server requires both SSH key authentication and the dynamic TOTP generated by your mobile device. <\/p>\n\n\n\n
Modifying SSH Configuration <\/h3>\n\n\n\n
Open your SSH configuration file, typically located at `\/etc\/ssh\/sshd_config`, and make sure the following settings are configured: <\/p>\n\n\n\n
ChallengeResponseAuthentication yes\nAuthenticationMethods publickey,keyboard-interactive\nPasswordAuthentication no<\/code><\/pre>\n\n\n\n
Save the changes and restart the SSH service: <\/p>\n\n\n\n
sudo service ssh restart<\/code><\/pre>\n\n\n\n
These settings ensure that SSH requires both public key authentication and the TOTP challenge. <\/p>\n\n\n\n
Disabling Password Authentication<\/h3>\n\n\n\n
To strengthen security further, disable password authentication entirely. Confirm that the following line is present in your SSH configuration file: <\/p>\n\n\n\n
PasswordAuthentication no <\/code><\/pre>\n\n\n\n
Again, restart the SSH service to apply the changes. <\/p>\n\n\n\n
sudo service ssh restart <\/code><\/pre>\n\n\n\n
Adjusting Security Group\/Firewall Rules <\/h3>\n\n\n\n
If your VPS is behind a firewall<\/a> or security group<\/a>, ensure that the necessary ports for SSH (typically port 22) are open. Additionally, confirm that the security group or firewall allows traffic for the chosen TOTP port (often UDP port 123). Adjust these rules as needed to align with your server’s specific setup. <\/p>\n\n\n\n
With these edits, your VPS is now enforcing Two-Factor Authentication with Time-based One-Time Passwords, significantly enhancing the security posture of your server. Ensure successful authentication by testing access with both the SSH key and TOTP requirements.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
As we conclude this guide on enabling Two-Factor Authentication (2FA) with Time-based One-Time Passwords (TOTP) on your Virtual Private Server (VPS), let us recap the benefits and consider some concluding thoughts on enhancing the security of your server. <\/p>\n\n\n\n
Recap of the Benefits of Enabling 2FA\/TOTP <\/h3>\n\n\n\n
Enabling 2FA\/TOTP on your VPS provides a robust defense against unauthorized access and potential security threats. By combining SSH key authentication with the dynamic element of TOTP, you have created a multi-layered security approach. The benefits include: <\/p>\n\n\n\n