Passwords alone are insufficient for securing server access, as they can be stolen through phishing, keyloggers, or password database breaches. Time-based One-Time Password (TOTP) authentication adds a second factor that changes every 30 seconds, making stolen credentials useless without physical access to the user's authentication device.
Setting Up TOTP on Linux Servers
Install the Google Authenticator PAM module on your Linux servers and configure it for each user who needs SSH access. The setup generates a secret key that is shared with the user's authenticator app (Google Authenticator, Authy, or FreeOTP) via QR code. The PAM module then requires the current TOTP code in addition to the SSH key or password during login.
Configure the PAM stack carefully to require both the SSH key and the TOTP code for maximum security. Edit /etc/pam.d/sshd to add the pam_google_authenticator module, and set ChallengeResponseAuthentication to yes in sshd_config. Test the configuration thoroughly from a separate terminal before closing your existing session, as a misconfiguration could lock you out.
For organizations managing many servers, consider centralized two-factor authentication solutions like Duo Security or a RADIUS server with TOTP support. These centralized approaches make it easier to manage user enrollments, enforce policies, and maintain an audit log of authentication events across your entire infrastructure. Emergency recovery codes should be generated during setup and stored securely offline for situations where the authenticator device is lost or unavailable.