SSH multi factor authentication

Stephen Harris lists at
Mon Jul 4 12:53:37 AEST 2016

On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:
> One, the Google Authenticator (OTP authentication).

On its own, this is not 2FA.  It's single factor ("something you

A combination of Google Authenticator _and_ password is 2FA.  This is
easy to do with PAM.

> Two, Public/Private key authentication (pubkeyauthentication = yes) which
> supports pass phrase private key authentication.

This is 2FA in that you need the private key and the passphrase for it.
Unfortunately this can't be enforced at the server; it's client side.
That's because the client could _remove_ the passphrase and reduce
it to "something you have".  The server can't tell the difference.
So, from a controls perspective, you have to assume "single factor".



More information about the openssh-unix-dev mailing list