🧩Multi-Factor Authentication (MFA) for a Validator

Setting Up MFA for SSH Access

Enabling Two-Factor Authentication with Google Authenticator

Install Google Authenticator

sudo apt update && sudo apt install libpam-google-authenticator -y

Generate a Secret Key

google-authenticator

A QR code and key will appear. Save your backup codes!

Configure PAM for SSH

sudo nano /etc/pam.d/sshd

Add this line at the beginning:

auth required pam_google_authenticator.so

Enable MFA in the SSH Configuration

sudo nano /etc/ssh/sshd_config

Modify the following parameters:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Restart SSH:

Now, SSH access will require a one-time password (OTP) from Google Authenticator.

MFA for Hardware Security Keys (YubiKey)

Install FIDO2/U2F Support

Register Your YubiKey

Press the YubiKey button to confirm registration.

Configure PAM for SSH

Add:

Now, SSH access will require the hardware security key.

MFA for the Validator Wallet

Best Option – Hardware Wallet (Ledger, Trezor)

• Store private keys on Ledger Nano X or Trezor Model T.

• Connect only when signing transactions.

• Keplr + Ledger is an ideal solution for Cosmos validators.

Securing a Hot Wallet

If the wallet is stored on the server, run:

• Backup your mnemonic phrase offline.

• Restrict access to wallet files using ACL (Access Control List).

MFA for Monitoring and API

Securing Grafana with a Password + MFA

1. Enable OAuth 2.0 with Google/Auth0 for Grafana.

2. Restrict access to Grafana with 2FA.

3. Set up Fail2Ban to protect against brute-force attacks:

Add:

Apply changes:

Protecting RPC and API with MFA

Securing RPC Access via NGINX + OAuth

1. Install NGINX + JWT authentication.

2. Restrict access to /rpc, /api by IP addresses and keys.

3. Implement Cloudflare Access to enforce MFA for API access.