Secure desktop login with a one-time token

The usual desktop login using a username and password provides some rudimentary security against unauthorized access, but it's not always enough. Users often use weak passwords and even write them on a sticky note placed on their monitor. You don't need to be a security expert to realize that unauthorized logins under such circumstances are not that hard.

Other authentication methods that provide an additional step are much more secure. One approach is generating unique one-time-use tokens – password-like strings – that provide an extra level of security. The computer requests the one-time password (OTP) at login together with the other credentials.

The secret is that only an authorized user has access to the one-time token. Unauthorized third parties (e.g., colleagues) can't get the OTP and, therefore, cannot log in. These methods are also referred to as two-factor, or two-step, authentication.

Google Helps

Two-factor authentication is done on Linux systems mostly with a Pluggable Authentication Module (PAM) module – as in this case with a desktop login extension. You can get a simple but powerful solution from Google. With the help of the Google Authenticator [1] you can extend the PAM used for login to the Linux machine by mounting an additional library. PAM software libraries provide a common API for authentication services. So, rather than creating the login details for each program, PAM provides a standardized service in the form of modules.

On your Android, iOS, or Blackberry smartphone, you also can install a free app [2] that links the Linux login with the Google Authenticator. When the system prompts you for the time-based, one-time password (TOTP), you can then grab the smartphone and read the string off it.

Note that both the smartphone and the Linux computer require a working time synchronization. If the times drift apart, the TOTP login won't work. The Google Authenticator mechanism also doesn't necessarily have to apply to all the users of the system: PAM can be configured so that it won't lock out other users.

Five Minutes

For the test installation, I used Ubuntu 14.04 (32-bit). Unless otherwise indicated, all commands must be executed using root privileges. If you're not on Ubuntu or one of its derivatives, you'll find helpful tips and tricks for two-factor authentication on the Google Authenticator project wiki [3].

To begin, you need to get the system up to date using apt-get (Listing 1, lines 1 and 2), then configure the required components from the repository (line 3). In my test, the necessary package, libpam-google-authenticator , was in the official Ubuntu repo. The package can go by a different name in other distributions.

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install libpam-google-authenticator libqrencode3

You might also need the libqrencode3 package for an extra measure of comfort. The library allows Google Authenticator to generate a QR code, which you scan in with your smartphone and link to your account with Google Authenticator, as described later.

The next step is to build the Authenticator into the login screen that appears at system startup. On Ubuntu 14.04, open the PAM configuration file of the LightDM display manager (/etc/pam.d/lightdm ) with a text editor and add the following line at the end:

auth required pam_google_authenticator.so nullok

The nullok parameter at the end ensures that logins from other users remain possible without Google Authenticator.

If you also want the screensaver to have a token when unlocking it, add the /etc/pam.d/gnome-screensaver file reference to the configuration file. If you're not using LightDM or the Gnome screensaver, make the adjustment to the display manager and screensaver of your system. Note that my test was exclusively with Google Authenticator on stock Ubuntu.