# MFA - Multi Factor Authentication

MFA can be enabled on any standard system with following configuration:

```yaml
# disable kerberos authentication
ssh_server::enable_gssapi: false

# #disable ssh key authentication
ssh_server::enable_public_key: false


aaa::radius_auth: true
aaa::radius_shared_secret: ENC[PKCS7,MIIBuQYJK...9Z82qA==]
aaa::radius_servers: [ 'nps01.psi.ch', 'nps02.psi.ch' ]
aaa::radius_timeout: 60
```

Beside this, ensure that `ChallengeResponseAuthentication yes` is set correctly in your sshd config (this is the default configuration - so if no changes where configured to sshd this should be ok!).

Prerequisite for this is, that your server can reach the RADIUS servers (in the example nps01.psi.ch and nps02.psi.ch) and that you received a shared secret from the RADIUS admin.
(at the time of writing the RADIUS server are supported by group 9521)