Tutorial
How To Install Authy And Configure Two-Factor Authentication For SSH
Introduction
Using two-factor authentication, makes your VPS more secure by not just requiring a password or SSH key, but also a time-sensitive token generated by your phone.
This means that even if your password is compromised or you accidentally divulge your private key, your cloud server will remain secure.
Authy provides a straightforward platform for setting this up, which is compatible not only with popular apps like Google and Dropbox, but also your very own VPS.
It’s super simple to set up, and although it is a commercial service, for personal and development use, you can have up to 1000 logins per month for free.
You’ll need:
-
A DigitalOcean cloud server, ready to SSH into
-
An iOS or Android mobile device
Getting started
Set up Authy on your phone
Download the Authy app for your iOS or Android device.
Open the app, and follow the simple steps, including verifying your phone number. Your phone is now a secure token.
Set up a developer account
You’ll need to register again, this time as a developer, so that you can link your VPS to your phone’s Authy app.
To do this, head to the signup page here and enter your email address, country, phone number and a password - make sure you use the same mobile number as you entered before.
<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/tutorial_images/njjJfFU.png” alt =“Signing up” />
Once you receive an email from Authy, click the link in it and you’ll be asked to log in. Your phone will automatically have been configured as the token for accessing your account - open the “Authy” app, and you’ll have your password for logging in.
<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/tutorial_images/I87BRgw.jpg?4” alt =“Authy code on iOS”/>
Create an API Application
Once you’re into your dashboard, click “Create new application”, enter a friendly name for your cloud server and click “Create”.
<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/tutorial_images/La7wt5T.png” alt =“Creating an API application”/>
After a few seconds, you’ll be taken through to your app. Hover over the padlock where it says API key, and copy the key to somewhere safe. You’ll need it again in a moment.
<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/tutorial_images/GRfypgS.png” alt =“API key”/>
Install authy-ssh
First of all, SSH into your VPS:
ssh root@your.hostname.tld
Download the installer, then run it, installing the executables in /usr/local/bin:
curl "https://raw.github.com/authy/authy-ssh/master/authy-ssh" -o authy-ssh-installer
sudo bash authy-ssh-installer install /usr/local/bin
At the prompt, enter the API key you received earlier from the Authy website. You’ll be asked to choose what to do if Authy is down - I’d recommend option 1, in case the service were to shut down suddenly.
Configure Two-Factor Authentication for Your User
Simply run the following command, replacing:
- “
whoami” with another username if you’d like to configure for a user other than the one you’re logged in as email and number with the email and mobile number on your Authy account - country with the country code from your phone number (for instance “+44” for the UK, or “+1” for the US and Canada)
sudo /usr/local/bin/authy-ssh enable <whoami> email country number
It’ll ask you confirm. Hit “y”, and then everything is ready to go.
Try It Out
Restart your SSH server so the changes take effect.
Ubuntu: sudo service ssh restart
Debian: sudo /etc/init.d/sshd restart
CentOS: sudo service sshd restart
Try to SSH back in, and you’ll be asked for your Authy Token. Open the app, switch to the “Authy” and enter the code. You are now logged in.
Changed Your Mind?
It’s imperative that you’re careful when uninstalling authy-ssh, or you could lose access to your VPS. It’ll take just two commands:
Run the installer script from before, but in uninstall mode:
chmod +x authy-ssh-installer
./authy-ssh-installer uninstall
Restart your SSH server, as above:
Ubuntu: sudo service ssh restart
Debian: sudo /etc/init.d/sshd restart
CentOS: sudo service sshd restart
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
author
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Hey guys, it doesn’t look like authy has free plans anymore for ssh’ing to servers, and the above process only gets you a 30-day plan and after that it’s $0.05 per authentication. Booooooo. Just a heads up.
I’m using Authy, not Google Authenticator. Question: for an SSH server where the Authy stuff is already set up on my old mobile phone, how should I move it to my new mobile phone? I’m NOT syncing via iCloud of the old user, it’s a new Apple ID. Is there some way I can get into my SSH with the old phone (I have it, but prefer not to use it as it’s work phone) and then set up my new personal phone to also recognize the QR code or whatever it is? Thank you for any pointers!
It appears I cannot login using FTP Filezilla client after enabling authy. May I ask how I can gain access again to FTP with Authy applied?
@kamaln7 – Thanks. The command is working for Ubuntu 14.04.
“wget -O authy-ssh-installer https://raw.github.com/authy/authy-ssh/master/authy-ssh”
I am using LAMP ubuntu 14.04. The command “curl “https://raw.github.com/authy/authy-ssh/master/authy-ssh” -o authy-ssh-installer” appears not working as I am getting no such file/directory when I run “sudo bash authy-ssh-installer install /usr/local/bin”.
Can we get please correct command for ubuntu 14.04? Thank you.
I followed all the steps, I actually tried https://github.com/authy/authy-ssh, but I can still login without the token, it does not require it at all.
@Kamal: Seams that Transmit doesn’t support interactive login. FileZilla does, I’ll give it a try. Thanks ;)
@Franck Li: A solution might stand here: https://github.com/authy/authy-ssh#scp-mosh-and-git-push-with-two-factor-authentication
@Dmitri: It should work as far as I know. Most clients support interactive passwords. Try using another client such as FileZilla, does it work?
Apparently, the answer is no as far as SFTP is concerned; whilst able to connect through Transmit (SSH with key) prior to enabling Authy, connection fails after enabling it. Is there a workaround?
@Kamal: the question might be (at least it’s mine): can installing Authy become a problem when you then have to use SSH access for SFTP, Rsync, you-name-it?