using google-authenticator (2FA) on the CS machines

(Note: you can also use Duo if you already have that app -- see below)

If you want to add two-factor authentication to your CS account, download the Google Autheticator app to your phone, and then run the google-authenticator command on one of the CS machines:


This will ask you a few questions (see below) and show a QR code, which you scan with the app. Once it's all set up, you'll be asked for a Verification Code when you try to log in to the CS machines with a password. Your password and the code (displayed by the app) are the two factors needed for logging in.

When you run the google-authenticator command above, you will be asked a few questions (shortened versions here):

Above are my answers. I'd keep the first two as "yes", but the others you can change if you want.

Here's an example of an ssh session using a password and verification code:

$ ssh username@fennel
Password: <not shown here>
Verification code: 123456

You will also be asked for the verification code if you log in on the graphical consoles (i.e., sitting in front of one of the lab machines).

Note: if you ever forget your phone, but still need to log in on the graphical console (i.e., in the lab), you can use Cntrl-Alt-F1 to switch to a terminal console. Now log in there (which won't ask for your verification code), and then temporarily move the ~/.google_authenticator file to another name. Logout from the terminal console and use Cntrl-Alt-F7 (or maybe F8) to switch back to the graphical login screen.

using Duo:

If you want to use Duo instead of downloading the google-auth app to your phone, you can! You still need to run google-authenticator as shown above. Once you get the QR code, do this:

  1. Open the Duo app
  2. Touch the "+" in the upper right-hand corner
  3. Scan the QR code presented by the google-authenticator command
  4. Confirm the account name and icon

Back to SwatCS Help Docs