March 09, 2012 by Jaryd Malbin
Two-factor authentication is the method by which you authenticate a user twice using two different techniques. If you have ever used SecureID or (most) banking websites then you are familiar with this authentication model.
No solution is perfect in itself, and so the idea is to continue to add layers of security.
Consider this example: Attacker gains local access, escalates to root, and replaces sshd with a comparable binary that logs passwords. Without two-factor authentication the attacker will be able to "follow" users out of the compromised server. With two-factor authentication, the attacker will gain the users' password but will not be able to pass the secondary authentication method.
Read more for code and an example configuration.