Open source alternative to Google authenticator app

Question

I've set up Google authenticator as 2FA for ssh and it works great, but authenticator app for Android is not open source anymore. Is there a good real open source alternative?

https://github.com/google/google-authenticator still seems to be available. Or are you talking about the cellphone app side? — Stephen Harris, Jul 25 '16 at 16:53
this Q seems like a better fit for http://softwarerecs.stackexchange.com/ — Jeff Schaller, Jul 25 '16 at 17:28
I’m voting to close this question because this is not about the Unix-aspects of Android. — muru, May 17 '23 at 04:15

anlar · Accepted Answer · 2021-09-19T05:04:50.253

4

Try FreeOTP, it supports both HOTP and TOTP.

https://freeotp.github.io/

https://f-droid.org/en/packages/org.fedorahosted.freeotp/

edited Sep 19 '21 at 05:04

answered Jul 25 '16 at 17:15

anlar

4,096
3
30
54

How does it compare with andOTP? – colan May 25 '20 at 14:25

score 2 · Answer 2 · answered Sep 18 '21 at 21:11

2

Aegis authenticator for Android is libre, simple and has useful features (import/export, biometric unlock, QR code scan or manual entry, material design...)

It is available on f-froid: https://f-droid.org/fr/packages/com.beemdevelopment.aegis/

answered Sep 18 '21 at 21:11

Totor

19,302
17
75
102

Pedro Serrano · Answer 3 · 2023-05-18T23:59:00.467

AUTHY. Cloud-based, concurrent use from multiple devices, app is available for most modern platforms, including LINUX. Compatible with Google Authenticator tokens.

I use it on my UBUNTU systems, mainly for login, su, and lightdm, although using PAM modules it will support many other protocols (sshd with public key, etc).

Here's a guide for configuring 2FA on UBUNTU JAMMY with PAM:

GOOGLE AUTHENTICATOR ONLY FOR USERS CONFIGURED (~/.google_authenticator exists) (Tested Procedure)

Here are the steps for configuring PAM with Google Authenticator for the /etc/pam.d/login file. It will bypass the verification code if the user has not configured his/her token file.

Install the necessary packages for PAM and Google Authenticator using the following command:

sudo apt-get install libpam-google-authenticator

Edit the /etc/pam.d/login file using a text editor:

sudo nano /etc/pam.d/login

Add the following lines to the bottom of the file:

auth required pam_google_authenticator.so nullok

Save the file and exit the text editor.

You can then repeat steps 2-3 for the /etc/pam.d/su and /etc/pam.d/lightdm files to complete the configuration.

For the ssh configuration adjust the ChallengeResponseAuthentication yes and UsePAM yes parameters. More information about other ssh parameters needed can be found at:

https://www.techrepublic.com/article/enable-ssh-2fa-ubuntu-server/

SSH, 2FA, and Public Key Authentication

If the desired result is to skip 2FA with the Google Authenticator when invoking ssh with public key authentication, then the 'auth required pam_google_authenticator.so nullok' line must be placed at the end of /etc/pam.d/sshd. The file would look something like this:

@include common-auth account required pam_nologin.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_key.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic optional pam_motd.so noupdate session optional pam_mail.soenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password auth required pam_google_authenticator.so nullok

To enforce 2FA for the root user even when public key authentication is used, you can modify the /etc/pam.d/sshd file by adding the auth required pam_google_authenticator.so nullok line after the @include common-auth line. This will ensure that the Google Authenticator PAM module is always called, even when public key is used. /etc/pam.d/sshd would look something like this:

@include common-auth auth required pam_google_authenticator.so nullok account required pam_nologin.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_key.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic optional pam_motd.so noupdate session optional pam_mail.soenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password

After making this change, restart the sshd service and try logging in as the root user again. You should now be prompted for the Google Authenticator verification code even when using public key authentication.

https://codeberg.org/kpiq/Tech-Space/wiki/2FA-Authenticator-app-%28any-compatible-with-Google-Authenticator%29-setup-for-Ubuntu-Jammy

This use case enables 2FA only for users with a valid ~/.google_authenticator file, that way you don't have to tune complex PAM settings.

Open source alternative to Google authenticator app

3 Answers3