How to Set Up Two-Factor Authentication for Raspberry Pi

Two Factor Authentication Raspberry Pi Mfa

SSH is one of the most popular ways to control your Raspberry Pi from your laptop or PC. Here you’ll learn how to set up two-factor authentication for your SSH access to Raspberry Pi and add an extra layer of security to it.

Note: If you are using SSH key-file to access your Raspberry Pi, the two-factor authentication won’t be in use.

Update your Pi

Assuming you have already set up your Raspberry Pi with Raspberry Pi OS, it’s best to first check that all your software is up to date. Open a terminal and type the following command:

sudo apt update && sudo apt -y upgrade

Enable SSH

Raspberry Pi OS has the SSH server disabled by default. Before you can connect to your Pi via SSH, you need to enable it by running the following Terminal commands:

sudo systemctl enable ssh
sudo systemctl start ssh
Enable SSH on your Raspberry Pi.

You’ll can now connect to the SSH server.

Require identify authentication, with challenge-response

Ultimately, your Raspberry Pi needs to challenge you to authenticate your identity and then process your response, which means you need to enable challenge-response passwords.

To start, open the SSH config file for editing by running the following Terminal command:

sudo nano /etc/ssh/sshd_config

Within this file, find the ChallengeResponseAuthentication section and change it from “no” to “yes.”

Find the

You can now save the updated “sshd_config” file by pressing Ctrl + O, followed by Ctrl + X.

Back in the Terminal, restart the SSH daemon with your new configuration:

sudo systemctl restart ssh

Since changes have been made to the SSH configuration, it’s a good idea to check that you can still connect to your Raspberry Pi over SSH.

To connect to the SSH server, you’ll need to know the IP address of your Raspberry Pi. If you don’t already have this information, then run the following command on your Pi:

hostname -I

This will return the IP address you need to use.

Switch over to your laptop or computer, launch a Terminal and then connect to your Raspberry Pi, being sure to replace “10.3.000.0” with your unique IP address:

ssh pi@10.3.000.0

You are now connected over SSH.

Setting Up Two-Factor Authentication

Next, download the Authenticator application for the generation of the one-time authentication code. There are various authentication apps on the market, but I’m using Google Authenticator for this tutorial, which is available for both iOS and Android.

You can download the Google Authenticator app for free, from Google Play.

Once you’ve downloaded this mobile application, you’ll also need to install the Google Authenticator PAM module on your Raspberry Pi.

On your Pi, open a Terminal window and run the following command:

sudo apt install libpam-google-authenticator

Once Google Authenticator is installed on both your Raspberry Pi and your mobile device, you’re ready to set up two-factor authentication.

Create a connection: linking your Pi to your mobile device

To create a link between your mobile application and your Raspberry Pi, generate a QR code on your Pi and then scan this code using your smartphone or tablet.

To generate the QR code, switch back to your Raspberry Pi and run the following Terminal command:

google-authenticator

Your Raspberry Pi will ask whether its authentication tokens should be time-restricted. Since it’s more secure, you typically want to generate time-based authentication tokens unless you have a specific reason not to.

It's recommended that you use Google Authenticator to generate time-sensitive tokens.

The Terminal will generate a QR code, although you may need to resize the Terminal in order to see the full barcode.

There is also a series of emergency codes. If you ever lose, misplace or break your mobile device, these codes will allow you to access your Raspberry Pi over SSH, even without your mobile device. Don’t risk getting locked out of your Raspberry Pi. Make a note of these codes and store them somewhere safe.

Use this QR code to connect your Raspberry Pi to the Google Authenticator app:

1. On your smartphone or tablet, launch the Google Authenticator app.

2. In the bottom-right corner, tap the “+” sign.

3. Select “Scan a QR barcode.” When prompted, grant the app permission to access your device’s camera.

4. Hold your device’s camera up to your monitor and position it over the QR code. As soon as your smartphone or tablet recognizes the QR code, it’ll create an account and start generating authentication codes automatically.

5. Switch back to your Raspberry Pi; the Terminal will prompt you to update your “google_authenticator” file. Press the Y key on your keyboard.

6. You’ll be asked whether you want to prevent multiple people from using the same authentication token. Press the Y key on your keyboard.

7. When asked whether you want to increase the time skew window, press N, as this will help protect you against brute-force attacks.

8. The Terminal will now ask you to enable rate-limiting, which will restrict you (and potential hackers!) to three login attempts every 30 seconds. Rate-limiting can help protect you against brute-force and other password-based attacks, so you should opt for “Yes” unless you have a specific reason not to.

Linux Pluggable Authentication Modules

Finally, you need to enable two-factor authentication to your Raspberry Pi using the Linux Pluggable Authentication Modules (PAM).

To start, open the “sshd” file in the Nano text editor:

sudo nano /etc/pam.d/sshd

Add the following line:

auth required pam_google_authenticator.so

However, where you add the following line matters:

1. After entering your password

If you want to be prompted for a one-time authentication code after entering your Raspberry Pi’s password, then add this line after @include.

I want to be prompted for my authentication code, before entering my password.

2. Before entering your password

If you want to be prompted for your one-time authentication code before entering your password, add this line before @include.

Once you’ve made these changes, save your file by pressing Ctrl + O, followed by Ctrl + X.

Restart the SSH daemon:

sudo systemctl restart ssh

Now every time you try to connect over SSH, you’ll be asked for a one-time verification code.

Now, when you try to connect to your Raspberry Pi over SSH, you'll be prompted to enter a verification code.

Now that you have set up two-factor authentication on your Raspberry Pi, you can proceed to set up your personal web server or a music server. You can also further increase the security of your SSH with these tricks.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Jessica Thornsby

Jessica Thornsby is a technical writer based in Derbyshire, UK. When she isn’t obsessing over all things tech, she enjoys researching her family tree, and spending far too much time with her house rabbits.