How to Set Up Two-Factor Authentication (2FA) on Arch Linux

In the modern world, where cyber threats are evolving constantly, strengthening your security posture is not just a luxury—it’s a necessity. One of the most effective ways to enhance the security of your Arch Linux system is by enabling Two-Factor Authentication (2FA). This adds an extra layer of security on top of your usual password, making it significantly harder for unauthorized users to gain access to your system.

In this article, we’ll explore how to set up 2FA on Arch Linux, using Google Authenticator and PAM (Pluggable Authentication Modules). By the end of this guide, you’ll have a secure, time-based one-time password (TOTP) system integrated with your login process.

1. What is Two-Factor Authentication (2FA)?

Two-Factor Authentication is a method of confirming a user’s identity by requiring two different forms of authentication. Typically, it includes:

• Something you know (e.g., a password)
• Something you have (e.g., a smartphone app generating TOTP)

With 2FA enabled, even if an attacker obtains your password, they cannot log in without also having access to the second factor—usually a time-based code generated by an app like Google Authenticator, Authy, or FreeOTP.

2. Prerequisites

Before proceeding, ensure the following:

• You’re using Arch Linux (or an Arch-based distribution).
• You have sudo privileges.
• You have a smartphone with an authenticator app installed.
• You are comfortable editing PAM configuration files (with proper caution).

3. Installing Google Authenticator PAM Module

Arch Linux provides the libpam-google-authenticator package in the official repositories. This package includes the necessary PAM module and a CLI tool for setup.

Step 1: Install the package

Open a terminal and run:

sudo pacman -S libpam-google-authenticator

Step 2: Verify the installation

Make sure the binary is available:

which google-authenticator

You should see /usr/bin/google-authenticator if the installation was successful.

4. Configuring Google Authenticator

Each user must run the google-authenticator command to generate their own secret key and QR code.

Step 1: Run the tool

Execute the following as the user you wish to protect:

google-authenticator

You will be prompted with a series of questions. Let’s break them down:

Step 2: Scan the QR Code

The tool will generate a QR code like this:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/...

Open your preferred authenticator app and scan the QR code. This registers your Arch Linux system in the app.

Step 3: Answer the prompts

You’ll be asked a few questions:

• Do you want authentication tokens to be time-based?

  • Type y for yes. This enables TOTP.

• Do you want me to update your “/home/username/.google_authenticator” file?

  • Type y. This saves the configuration.

• Do you want to disallow multiple uses of the same token?

  • Type y. This prevents token reuse.

• Do you want to increase the time skew window?

  • Type n, unless you experience problems with timing.

• Do you want to enable rate-limiting?

  • Type y. This is a good security measure to prevent brute-force attacks.

This generates a .google_authenticator file in your home directory containing your secret key and configuration.

5. Modifying PAM Configuration

Now that the TOTP setup is ready, you need to integrate it into the system’s login mechanism using PAM.

⚠️ Be very careful editing PAM files. A misconfiguration may lock you out of your system.

Step 1: Backup existing PAM files

sudo cp /etc/pam.d/login /etc/pam.d/login.bak

Step 2: Edit /etc/pam.d/login

Use a text editor:

sudo nano /etc/pam.d/login

Add the following line near the top (usually after the auth section starts):

auth required pam_google_authenticator.so

Save and exit (Ctrl+O, Enter, Ctrl+X in nano).

💡 This ensures that the system will prompt for a TOTP code during console login.

6. Testing 2FA Authentication

Before logging out, open a new terminal (or SSH session if applicable) and test the login process. Try to su to another user or simulate a login:

su - yourusername

You should be prompted for:

1. Your password
2. A verification code (TOTP)

Only after entering both correctly will you gain access.

7. Optional: SSH 2FA Configuration

To enable 2FA over SSH, you need to configure both PAM and sshd.

Step 1: Modify /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Ensure the following lines are set:

ChallengeResponseAuthentication yes
UsePAM yes

Save and exit.

Step 2: Restart SSH daemon

sudo systemctl restart sshd

Step 3: PAM for SSH

Edit /etc/pam.d/sshd and add:

auth required pam_google_authenticator.so

Make sure it’s added before other authentication methods.

8. Best Practices and Security Tips

Here are some important tips for using 2FA effectively on Arch Linux:

🔒 Backup Your Secret Key

• Save a copy of the secret key or the .google_authenticator file in a secure offline location.
• Consider printing the QR code and storing it in a safe place.

🔐 Use Secure Authenticator Apps

• Stick with trusted apps like Aegis, FreeOTP, or Google Authenticator.
• Avoid apps that require an internet connection or cloud backup unless you’re certain of their security.

🛑 Don’t Lock Yourself Out

• Always test login mechanisms before logging out.
• Keep a root terminal or TTY open in case something goes wrong.
• If you’re configuring a remote system, use tools like tmux or screen to ensure your session stays active.

👨‍👩‍👧 Multi-user Systems

• Each user must configure their own 2FA using google-authenticator.
• System-wide enforcement is not automatic and must be managed carefully.

📆 Keep Time in Sync

• Ensure your system time is accurate. Install and enable systemd-timesyncd or ntpd.

sudo timedatectl set-ntp true

9. Conclusion

Enabling Two-Factor Authentication on Arch Linux is a straightforward but powerful step toward securing your system. By requiring a time-based code in addition to your password, you can drastically reduce the chances of unauthorized access—even if your password is compromised.

While it’s easy to set up using the libpam-google-authenticator package, make sure to test thoroughly, back up your secret keys, and keep time synchronization enabled to avoid lockouts or mismatches.

Security is a journey, not a destination. Integrating 2FA is a big leap forward in making your Arch Linux system more resilient and trustworthy.

If you’d like to take your system’s security even further, consider pairing 2FA with other hardening techniques like AppArmor, firewalls, and full-disk encryption.