Question
SSH - Two-factor or Key pairs?
Anyone who has an opinion on which method is the best to protect SSH, keypairs or the two factor authentication below?
https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-two-factor-authentication
To protecting houses we first had private keys and public keyholes. Then door codes. Then access cards combined with a code. I mean when I lose my key I also lose access to my server and someone else might get access instead. Even if I protect my private key with a password it's easy to hack on someone's computer if it gets lost. If I store a password on a server It's not so easy to hack it if I have fail2ban and port knocking.
Keys always need to be stored somewhere, unencrypted discs, smartphones, dropbox etc. An easy-to-remember 18+ character password only need to be stored in a non-hackable brain. And combined with two factor authentication it seems to me safer then using key pairs.
If I use the Google Authenticator app in my phone I can still lose my phone/sim card. But if I also enable two-factor for a second phone I can always store that sim card in a safe place to always have access to my server, just in case I lose my phone. And if anyone get access to my phone they still need to know the ssh password.
Anyone who has an opinion on this?
Add a comment
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×