Seems 2FA login authentication is trivial to bypass on Ubuntu. What am I missing?

jophuh

11/7/23, 2:42 PM

I was considering setting up 2FA on Ubuntu with libpam-google-authenticator as outlined in this article. However, it seems this method can be completely bypassed by entering GRUB rescue mode and removing the .google-authenticator file in the home directory.

# rm /home/username/.google_authenticator

Then comment out the following line in /etc/pam.d/common-auth file

auth required pam_google_authenticator.so

Am I overlooking anything? How could you allow the ability to disable 2FA without having to provide any type of 2FA code? It seems to defeat the purpose of enabling 2FA in the first place.

275

0 + 4

security

authentication

password

two-factor-authentication

raj

11/7/23, 3:20 PM

There is a well-known rule of security, "if you have physical access to the machine, you can do anything". If you want your machine to be secure, you must take care of physical security first. Even if GRUB rescue mode required 2FA, you could always boot from live media and do the same as you described. And it is actually good. These things are last resort to recover when you screw up your system.

Organic Marble

11/7/23, 3:55 PM

If this scenario concerns you, encrypt your hard drive.

jophuh

11/7/23, 5:26 PM

@OrganicMarble - even if I encrypt my hard drive the config file has to remain outside the encrypted partition, to allow the login process access to the config file prior to decryption. Therefore I don't think full disk encryption is the solution? It seems this _Authenticator PAM module_ only offers the illusion of security. Am I right? _Source:_ [https://github.com/google/google-authenticator-libpam](https://github.com/google/google-authenticator-libpam)

Organic Marble

11/7/23, 5:30 PM

https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Seems 2FA login authentication is trivial to bypass on Ubuntu. What am I missing?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.