Hi I was wondering if there was any way to add totp 2fa as a requirement for logging into my laptop. I dont really want to use my yubikey since I cant back it up and I cant really afford to spend $50 on a backup atm. Are there any solutions?
Like with an android phone?
google-authenticator
should work I think.
Its in the repos as libpam-google-authenticator
From there the steps should be pretty similar to this guide I found quickly:
How to add two-factor authentication to Linux with Google Authenticator | TechRadar
Except instead of the /etc/pam.d/common-auth
file (which we do not have) you should use /etc/pam.d/lightdm
(assuming you use lightdm) or you may wish to enable it for other services and/or make use of a more generalized file like /etc/pam.d/login
to cover more than just the display manager.
Then again … I never did this … so dont go breaking things on my advice
thanks Ill investigate this and get back to you
Another interesting alternative is pam_usb – in this case you use your USB stick as hardware key:
eh I decided it would be too much of a hassle so nvm. thanks for the suggestion
You can use tpm2-totp to show you a code during boot which would not be a requirement to log in, but just a sign of unchanged binaries used for booting process.