By design, Linux is about as secure an operating system as you'll find. However, that level of security doesn't mean there aren't steps you can take to make it more secure.
One thing you can do is enable two-factor authentication (2FA) for desktop logins. With this feature added to the process, you tap a six-digit code you retrieve from an authenticator app on your phone to log in to services and your user password.
Also:The best VPN services (and how to choose the right one for you)
Believe it or not, 2FA is pretty easy to set up. I would suggest, however, that you try this approach on a test machine. You do not want to get locked out of your main desktop, because, should that happen, it can be a nightmare to resolve.
With that said, let me show you how to set up 2FA.
What you'll need:To make this approach work, you'll need a running instance of Linux. I'll demonstrate with Zorin OS, which is a Ubuntu-based distribution. With a Fedora or Arch-based distro, alter the installation command (swapping out apt for dnf or pacman). You'll also need an authenticator app (such as Authy or Google Authenticator) installed on your mobile phone.
Also: Bluestar Linux is a gorgeous MacOS-like take on KDE Plasma that's easy to use
With that said, let's install some software.
The first thing to do is log in to your Linux distribution and open the terminal window.
Within the terminal app, install the necessary software with the command:
sudo apt-get install libpam-google-authenticator -y
Open the necessary configuration file with the command:
sudo nano /etc/pam.d/common-auth
At the bottom of the file, add the following:
auth required pam_google_authenticator.so
Save and close the file.
Also: 5 lightweight Linux distributions that will bring your old PC back to life
Now, before you log out and test the software, I recommend you secure shell into the machine and leave the connection open until you are certain it works. If the system doesn't work, you're still logged in and can troubleshoot. Fortunately, the above setup worked flawlessly for me.
From the terminal, issue the command:
google-authenticator
A QR code will appear in the terminal. Open the authenticator app on your mobile device and add a new account by scanning the QR code (how you do this will depend on the app you use). Once the scan is complete, you'll be asked to type the six-digit code from the app in the Linux terminal window.
Also: 10 Linux apps I can't do without - and why
You'll be presented with a few emergency "scratch" codes. Make sure to save those codes (to be used if you lose your phone).
You'll be asked the following questions:
Make sure to answer "y" to all the questions.
With these steps taken care of, you can now reboot the system. When you log in, you'll be asked for your user password and the six-digit code from the authenticator app on your mobile phone.
One thing to keep in mind is that this process only works for desktop login. Enabling 2FA for SSH login is a different process, which I'll walk you through in a separate how-to.
Also: How to choose the right Linux desktop distribution for you
Congratulations, your Linux desktop is now slightly more secure.