diff --git a/enable_2fa.yml b/enable_2fa.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3fd7b4528092589f777f3a3b5981ddecbb7d64be
--- /dev/null
+++ b/enable_2fa.yml
@@ -0,0 +1,8 @@
+---
+- hosts: 
+  become: true
+  
+  roles:
+  - configure_pam
+  - configure_sshd_conf
+  - install_googleauth
\ No newline at end of file
diff --git a/files/sshd_config b/files/sshd_config
new file mode 100644
index 0000000000000000000000000000000000000000..0f8532fddfe9270d5a510c99adbb8385acb3008e
--- /dev/null
+++ b/files/sshd_config
@@ -0,0 +1,7 @@
+UsePAM yes
+ 
+Challenge ResponseAuthentication yes
+ 
+PermitRootLogin yes
+ 
+AuthenticationMethods publickey,keyboard-interactive
\ No newline at end of file
diff --git a/roles/configure_pam/tasks/main.yml b/roles/configure_pam/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f33ad6ba39e659a61b18d5fb2be2164b335f267a
--- /dev/null
+++ b/roles/configure_pam/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: insert lines in /etc/pam.d/sshd
+  blockinfile:
+    path: /etc/pam.d/sshd
+    block: |
+      # two-factor authentication via Google Authenticator 
+      auth required pam_google_authenticator.so no_increment_hotp nullok
+  
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted
\ No newline at end of file
diff --git a/roles/configure_sshd_conf/tasks/main.yml b/roles/configure_sshd_conf/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..245916e687dd97113ea6e95d6b7121a5c789636b
--- /dev/null
+++ b/roles/configure_sshd_conf/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: check if sshd_config.d directory exists
+  stat:
+    path: "{{ item }}"
+  register: folder_stats
+  with_items:
+  - ["/etc/ssh/sshd_config.d"]
+    
+- name: insert lines if directory doesn't exists
+  with_items: "{{ folder_stats.results }}"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    state: present
+    line: "AllowUsers      slub root \n AllowGroups     ssh"
+  when: item.stat.exists == false
+
+- name: create extra sshd_config
+  with_items: "{{ folder_stats.results }}"
+  template:
+    src: ./files/sshd_config
+    dest: /etc/ssh/sshd_config.d/sshd.config
+    owner: root
+    group: root
+    mode: '0644'
+  when: item.stat.exists == true
+
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted
\ No newline at end of file
diff --git a/roles/install_googleauth/tasks/main.yml b/roles/install_googleauth/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e5576507cee48ee06dd6222d1ca4683fb9ef7e4a
--- /dev/null
+++ b/roles/install_googleauth/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Install google_authenticator
+  package:
+    name: libpam-google-authenticator
+    state: present
\ No newline at end of file
diff --git a/roles/main.yml b/roles/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e79447f9eec0807f1043265e13550eeffa0c84e9
--- /dev/null
+++ b/roles/main.yml
@@ -0,0 +1,5 @@
+---
+
+- import_tasks: "configure_pam.yml"
+- import_tasks: "configure_sshd_conf.yml"
+- import_tasks: "install_googleauth.yml"
\ No newline at end of file