Combining two-factor authentication and SSH

Secure SSH tunnels are great for encrypting traffic, and two-factor authentication is great for adding another element to authorising them. Why not combine the two?

Setting up a secure SSH tunnel for communications and using two-factor authentication where possible are two security measures that many recommend, but what about combining the two to ensure that, if a SSH certificate key is lost or stolen, no one has illegitimate access to your server?

One group that has done just that is Authy, which has developed an API that will take care of sending and verifying tokens. Installation of the additional security measure is as simple as downloading the code to interface with its API (which the company has made available on Github); installing, enabling and testing it, then restarting the SSH service — all in about five commands.

After setting it up, users will receive tokens via SMS, or by using Authy's mobile app for Android, iPhone or BlackBerry.

There are some limitations, however. Setting up the process will require an API key from Authy, which is free if users expect to make less than 1000 API calls per minute. Additionally, Authy doesn't appear to use the Time-based One-time Password (TOTP) algorithm, which means that it is incompatible with other two-factor mobile applications, such as Google Authenticator.

The truly nervous may be concerned that they have to rely on the availability and trust of a third party to manage their tokens. In this case, there are alternatives, including using Google Authenticator's pluggable authentication module. This approach, when implemented correctly, will store the user's secret for generating codes on the server and the user's device, eliminating any reliance on a third party, including Google, although it does requires a bit more work.