Enable Two-Factor Authentication on your Ubuntu SSO account

This is fairly simple:

  1. Log in to with your standard SSO account credentials.

  2. Click the "Authentication Devices" tab.
  3. Click "Add a new authentication device".
  4. Select a device type.
  5. Follow the instructions on screen.
  6. Select "Always" for "Require an authentication device", and click "Update".

After adding your primary device, a set of recovery/emergency codes (a "paper backup") will be generated and shown to you. You MUST print or otherwise store in a safe yet handy place, this set paper codes in addition to your primary device. Paper codes are easy to add, you can print them and have them stored somewhere secure (but handy) in case your main device gets lost, needs to be replaced, reflashed, etc.

Backup verification

Paper backup devices behave just like your primary device and you can use SSO codes from them at any time. Every few weeks we'll encourage you to try a code from your backup, as a rehearsal of what to do if your primary device is unavailable. This also allows us to confirm your backup is handy and current. You can always use your primary device if you don't have your backup device handy, but if that's the case, maybe it's a good opportunity to ensure you do have it and print a new one if not.

Additionally, every few weeks, we'll show you a list of all the 2FA devices registered to your account, so you can keep things tidy and ensure all your devices (including your backup) are accounted for. It's also a great opportunity to print paper backups if you don't have any or have misplaced your existing set.


Ubuntu SSO supports any device or application that implements the OATH protocol (both counter- and time-based implementations work).

These types of devices are supported right now:

  • Smartphones: Ubuntu Phone, Android, iOS, Blackberry and any other brand/OS for which an OATH-compatible application is available. Look for options in your device's App Store. Tofu, 1Password, Authy and Google Authenticator are known to work.
  • Yubikey USB devices in OATH mode.
  • Feitian OTP c100 keyfobs.
  • Paper.
  • oathtool.
  • Some password managers (like 1Password).
  • Any other OATH/TOTP/HOTP-compatible device.

I have questions

We have an extensive list of FAQs with answers and technical information.

SSO/2FactorAuthentication (last edited 2021-11-30 22:08:27 by roadmr)