One way to do this is with a tool provided by Google called Google Authenticator.

Install libpam-google-authenticator or just sudo apt-get install libpam-google-authenticator Edit /etc/pam.d/sshd to include the module: sudoedit /etc/pam.d/sshd

and then include this line at the top of the file and save: auth required pam_google_authenticator.so Edit your SSH config file to turn on the challenge: sudoedit /etc/ssh/sshd_config and then change the response authentication from: ChallengeResponseAuthentication no to ChallengeResponseAuthentication yes and then save the file. sudo restart ssh to restart SSH Run google-authenticator This will give you your secret key, verification code, and emergency scratch codes. It will also ask you some rate limiting questions.

Mobile Applications:

You'll need one of these to receive the authentication code on another device.

Related and Useful:

Note that combining a password with single-use passcodes is two-factor authentication: it combines “what you know” (a password) with “what you have” (the passcode generator device). On the other hand, if you combine single-use passcodes with an SSH key pair, it's all about “what you have”. When two authentication factors are of the same type, you do not have two-factor authentication; this is sometimes called “one-and-a-half-factor authentication”.