I'm using 2FA on Ubuntu 18.04.4 LTS with Google Authenticator. I added auth required pam_google_authenticator.so nullok to /etc/pam.d/common-session and correctly set up Google Authenticator.
The 2FA works great when getting back to a session after sleep mode. However when I shut my computer down and boot again, the 2FA doesn't prompt and I'm only asked to enter my master password. Do you have any idea why?
Problem was related to the encryption of home directory. As stated in Google Authenticator libpam
If your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location
. If you're the only user of your laptop, below are the steps to follow to boot Ubuntu 18.04 with 2FA:
ga:sudo mkdir -m 700 /home/ga
sudo chown yourname:yourgroup /home/ga
google-authenticator in a terminal), it creates a configuration file at the root directory. Copy this file to your unencrypted directory:sudo cp ~/.google_authenticator /home/ga/.
/etc/pam.d/gdm-password:auth required pam_google_authenticator.so secret=/home/ga/.google_authenticator
Boot your computer and you should be good to go.
Sources
https://github.com/google/google-authenticator-libpam#encrypted-home-directories
Google Authenticator for Desktop (lightdm or gdm plugin)
https://wiki.archlinux.org/index.php/Google_Authenticator#Desktop_logins
Possible to Create Unencrypted Folder Outside Ecryptfs Home?