SSH without shared keys.
MFA on every login.
AuthFI PAM replaces SSH keys with identity. MFA enforcement, role-based sudo, session recording, automatic provisioning and deprovisioning.
Available on Pro and above. See pricing
MFA-protected SSH
Every SSH login requires identity verification. No more shared keys.
$ ssh prod-db-01.acme.authfi.app AuthFI PAM | Authenticating alice@acme.com MFA Required | Enter TOTP code: 847291 Verified | MFA passed. Session started. User: alice@acme.com Role: devops Sudo: enabled (via group: devops) Session: recording Expires: 2h from now alice@prod-db-01:~$ sudo systemctl status postgres * postgresql.service - PostgreSQL Active: active (running)
Server inventory with access levels
See all servers, who has access, and at what level. Managed from the dashboard.
| Server | OS | Access | MFA | Status |
|---|---|---|---|---|
 prod-db-01 | Ubuntu 22.04 | devops: sudo, dev: read-only | Required | Online |
| prod-app-01 | Debian 12 | devops: sudo, dev: sudo | Required | Online |
| staging-01 | Ubuntu 22.04 | dev: sudo | Optional | Online |
| ci-runner-01 | Amazon Linux | devops: sudo | Required | Offline |
Enterprise PAM features
MFA enforcement
TOTP or passkey on every SSH login. No exceptions.
Role-to-sudo mapping
AuthFI roles map to Linux groups and sudoers rules automatically.
Session recording
Every command logged. Searchable. Replayable. Compliance-ready.
Auto provisioning
User created in AuthFI -> Linux account created on next SSH.
Instant deprovision
Disable user -> locked out of every server instantly.
Offline fallback
Cached credentials for network interruptions. Break-glass access.
eBPF integration
Combine with Agent for SSH + HTTP policies on the same host.
Multi-OS support
Ubuntu, Debian, RHEL, Amazon Linux. apt and yum packages.
Ready to get started?
Free for 5,000 monthly active users. No credit card required.