// Tutorial //

How To Install Authy And Configure Two-Factor Authentication For SSH

Published on August 15, 2013
Default avatar
By Tim Rogers
Developer and author at DigitalOcean.
How To Install Authy And Configure Two-Factor Authentication For SSH

Introduction


Using two-factor authentication, makes your VPS more secure by not just requiring a password or SSH key, but also a time-sensitive token generated by your phone.

This means that even if your password is compromised or you accidentally divulge your private key, your cloud server will remain secure.

Authy provides a straightforward platform for setting this up, which is compatible not only with popular apps like Google and Dropbox, but also your very own VPS.

It’s super simple to set up, and although it is a commercial service, for personal and development use, you can have up to 1000 logins per month for free.

You’ll need:

  • A DigitalOcean cloud server, ready to SSH into

  • An iOS or Android mobile device

Getting started


Set up Authy on your phone

Download the Authy app for your iOS or Android device.

Open the app, and follow the simple steps, including verifying your phone number. Your phone is now a secure token.

Set up a developer account

You’ll need to register again, this time as a developer, so that you can link your VPS to your phone’s Authy app.

To do this, head to the signup page here and enter your email address, country, phone number and a password - make sure you use the same mobile number as you entered before.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/tutorial_images/njjJfFU.png” alt =“Signing up” />

Once you receive an email from Authy, click the link in it and you’ll be asked to log in. Your phone will automatically have been configured as the token for accessing your account - open the “Authy” app, and you’ll have your password for logging in.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/tutorial_images/I87BRgw.jpg?4” alt =“Authy code on iOS”/>

Create an API Application

Once you’re into your dashboard, click “Create new application”, enter a friendly name for your cloud server and click “Create”.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/tutorial_images/La7wt5T.png” alt =“Creating an API application”/>

After a few seconds, you’ll be taken through to your app. Hover over the padlock where it says API key, and copy the key to somewhere safe. You’ll need it again in a moment.

<img style=“border:2px solid black; display:block;margin-left:auto;margin-right:auto” src=“https://assets.digitalocean.com/tutorial_images/GRfypgS.png” alt =“API key”/>

Install authy-ssh

First of all, SSH into your VPS:

ssh root@your.hostname.tld

Download the installer, then run it, installing the executables in /usr/local/bin:

curl "https://raw.github.com/authy/authy-ssh/master/authy-ssh" -o authy-ssh-installer

sudo bash authy-ssh-installer install /usr/local/bin

At the prompt, enter the API key you received earlier from the Authy website. You’ll be asked to choose what to do if Authy is down - I’d recommend option 1, in case the service were to shut down suddenly.

Configure Two-Factor Authentication for Your User

Simply run the following command, replacing:

  • whoami with another username if you’d like to configure for a user other than the one you’re logged in as email and number with the email and mobile number on your Authy account
  • country with the country code from your phone number (for instance “+44” for the UK, or “+1” for the US and Canada)
sudo /usr/local/bin/authy-ssh enable <whoami> email country number

It’ll ask you confirm. Hit “y”, and then everything is ready to go.

Try It Out

Restart your SSH server so the changes take effect.

Ubuntu: sudo service ssh restart Debian: sudo /etc/init.d/sshd restart CentOS: sudo service sshd restart

Try to SSH back in, and you’ll be asked for your Authy Token. Open the app, switch to the “Authy” and enter the code. You are now logged in.

Changed Your Mind?


It’s imperative that you’re careful when uninstalling authy-ssh, or you could lose access to your VPS. It’ll take just two commands:

Run the installer script from before, but in uninstall mode:

chmod +x authy-ssh-installer
./authy-ssh-installer uninstall

Restart your SSH server, as above:

Ubuntu: sudo service ssh restart Debian: sudo /etc/init.d/sshd restart CentOS: sudo service sshd restart


Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.

Sign up
About the authors
Default avatar
Developer and author at DigitalOcean.

Still looking for an answer?

Was this helpful?
10 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Hey guys, it doesn’t look like authy has free plans anymore for ssh’ing to servers, and the above process only gets you a 30-day plan and after that it’s $0.05 per authentication. Booooooo. Just a heads up.

I’m using Authy, not Google Authenticator. Question: for an SSH server where the Authy stuff is already set up on my old mobile phone, how should I move it to my new mobile phone? I’m NOT syncing via iCloud of the old user, it’s a new Apple ID. Is there some way I can get into my SSH with the old phone (I have it, but prefer not to use it as it’s work phone) and then set up my new personal phone to also recognize the QR code or whatever it is? Thank you for any pointers!

It appears I cannot login using FTP Filezilla client after enabling authy. May I ask how I can gain access again to FTP with Authy applied?

@kamaln7 – Thanks. The command is working for Ubuntu 14.04.

“wget -O authy-ssh-installer https://raw.github.com/authy/authy-ssh/master/authy-ssh

I am using LAMP ubuntu 14.04. The command “curl “https://raw.github.com/authy/authy-ssh/master/authy-ssh” -o authy-ssh-installer” appears not working as I am getting no such file/directory when I run “sudo bash authy-ssh-installer install /usr/local/bin”.

Can we get please correct command for ubuntu 14.04? Thank you.

I followed all the steps, I actually tried https://github.com/authy/authy-ssh, but I can still login without the token, it does not require it at all.

@Kamal: Seams that Transmit doesn’t support interactive login. FileZilla does, I’ll give it a try. Thanks ;)

@Franck Li: A solution might stand here: https://github.com/authy/authy-ssh#scp-mosh-and-git-push-with-two-factor-authentication

@Dmitri: It should work as far as I know. Most clients support interactive passwords. Try using another client such as FileZilla, does it work?

Apparently, the answer is no as far as SFTP is concerned; whilst able to connect through Transmit (SSH with key) prior to enabling Authy, connection fails after enabling it. Is there a workaround?

@Kamal: the question might be (at least it’s mine): can installing Authy become a problem when you then have to use SSH access for SFTP, Rsync, you-name-it?