Secure Your Raspberry Pi: Complete Guide to Enabling SSH Two-Factor Authentication

SSH remains a go-to method for remotely managing your Raspberry Pi from a laptop or PC. In this expert guide, drawn from years of securing Pi deployments, I'll walk you through setting up two-factor authentication (2FA) for SSH access. This adds a robust security layer against unauthorized entry.

Note: If you access your Raspberry Pi using an SSH key file, 2FA won't activate, as keys bypass password prompts.

Update Your Pi

With Raspberry Pi OS installed, ensure all software is current for stability and security. Open a terminal and run:

sudo apt update && sudo apt -y upgrade

Enable SSH

Raspberry Pi OS disables the SSH server by default. Activate it via these commands:

sudo systemctl enable ssh
sudo systemctl start ssh

Require Identity Authentication with Challenge-Response

To support 2FA, configure SSH for challenge-response authentication. Edit the config file:

sudo nano /etc/ssh/sshd_config

Ensure these lines are set: ChallengeResponseAuthentication yes, PasswordAuthentication yes, and UsePAM yes. Save the updated "sshd_config" file with Ctrl + O, then Ctrl + X.

Restart the SSH service:

sudo systemctl restart ssh

Verify connectivity. On your Pi, find its IP:

hostname -I

From your laptop/PC terminal, connect (replace 10.3.000.0 with your IP):

ssh pi@10.3.000.0

You should now be connected via SSH.

Configure Two-Factor Authentication

Download Google Authenticator on your phone (iOS/Android)—a reliable app I've used in countless setups.

Install the PAM module on your Pi:

sudo apt install libpam-google-authenticator

Create a Connection: Link Your Pi to Your Mobile Device

Generate a QR code on the Pi to pair with your app:

google-authenticator

Opt for time-based tokens (more secure). Resize terminal if needed to view the full QR.

Save the emergency scratch codes securely—they're your backup if you lose your phone.

Scan the QR:

1. Open Google Authenticator.
2. Tap + (bottom right).
3. Choose "Scan QR code" and grant camera access.
4. Point camera at the QR; it auto-configures.

Answer prompts: Yes to update file, Yes to disallow token reuse, No to time offset, Yes to rate-limiting (limits brute-force attempts to 3 every 30s).

Linux Pluggable Authentication Modules

Enable 2FA via PAM. Edit:

sudo nano /etc/pam.d/sshd

Add:

auth required pam_google_authenticator.so

Password first, then code: Add after @include common-auth.

Code first, then password: Add before @include common-auth.

Save with Ctrl + O, Ctrl + X. Restart SSH:

sudo systemctl restart ssh

Future logins will prompt for a time-sensitive code from your app.

With 2FA live, your Pi is far more secure. Next, explore web/music servers or advanced SSH hardening tips.