Two-factor authentication (2FA) for Webconfig strengthens access security by requiring two methods to verify a user's identity. Before granting access to resources available via Webconfig, a user will be sent a random code after their username and password credentials have been verified. Failure to provide the correct code within a pre-determined window of time will result in access denial. 2FA for Webconfig can be enabled for root login or any user account.
This protects the ClearOS admin panel (Webconfig). Once you are logged in, you can use the Dynamic Firewall to temporarily permit access to other apps (SSH, VPN, etc)
Install from web interface (in the System section), like all the other apps.
yum --enablerepo=clearos-updates-testing,clearos-contribs-testing install app-two-factor-auth
Once installed, find the relevant admin panel and configure for your needs.
The information about the configuration is at /etc/clearos/two_factor_auth.conf (useful if you can't log in via the ClearOS admin panel because you are not receiving the emails)
If you need to add more than one email address (which is typical for the root account, just create a redirect ( rootmfa at example.org -> joe at example.org and jane at example.org and use mail forwarding.
You can also forward emails to SMS but be aware that SMS-based two-step verification is no longer recommended by NIST