OTP for xscreensaver [Guide]

With the help of @solene, I was able to quickly setup OTP logins through xscreensaver. I had already setup AEM and have my LUKS password for drive encryption. But since I use my laptop in public spaces and sometimes have to logout and walk away for a moment, I wanted to add OTP as the only login. I’m sure there will be some feedback on the security of this, so please do share any that arises.

First, download google-authenticator in dom0:
sudo qubes-dom0-update google-authenticator

Run google authenticator:

Walk through the setup instructions which will also generate your QR code for your auth app of choice:

Do you want me to update your “/home/jlwallen/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)

By default, tokens are good for 30 seconds, and to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)

If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)`

Finally, add the following at the top of your /etc/pam.d/xscreensaver file:

auth required pam_google_authenticator.so

You can comment-out the auth include system-auth line if you don’t want to enter your user password after entering the OTP, or keep the line uncommented and have both OTP and a separate user password. NOTE: Do not comment out account include system-auth

That’s it. Enjoy.



You should be able to use a password + TOTP, that’s the best instead of using only TOTP, because you have a true 2FA here while TOTP is just another kind of secret.

In this setup, you have to type your password, let’s say hunt3r and then type the generated TOTP, this would end like hunt3r124875

1 Like

With this setup I only have to enter the OTP. Keeping the user auth in place offers two prompts: first the OTP, then the user password.

I have a made a multi-factor version of this guide. I was originally thinking of expanding this on this guide, but I think it’s better suited in the official docs:


Many thx.

I added

auth required pam_google_authenticator.so

in my



account required pam_nologin.so

and now I’ve got MFA at the login screen.

I stored the OTP directly in my Yubikey 5 NFC, which ist able to store 32 account.

Even if it is open source, I do not want to support or propose anything that is google :name_badge:? Any non-big-tech implementation alternative?

I like that setup thanks for sharing. Is it possibly to set a master password to unlock without the totp - e.g. when I am in a safe environment or I do not have my authenticator with me?

Would it be possible to integrate that for unlocking your drive?