Description
PAM login flows gain time-based one-time password checks through Google Authenticator-compatible tokens. It helps administrators require a second factor for supported local or remote services.
Authentication changes can lock users out if secrets, clocks, or PAM rules are wrong. Test with a recovery session, protect shared secrets, and document fallback access before enforcing it broadly.