diff --git a/pillar.example b/pillar.example
index d6e0033..d96ea29 100644
--- a/pillar.example
+++ b/pillar.example
@@ -58,6 +58,7 @@ users:
         options:
           - "StrictHostKeyChecking yes"
 
+    google_2fa: True
     google_auth:
       ssh: |
         SOMEGAUTHHASHVAL
diff --git a/users/googleauth.sls b/users/googleauth.sls
index 7342132..9e6a9ff 100644
--- a/users/googleauth.sls
+++ b/users/googleauth.sls
@@ -13,3 +13,19 @@ users_{{ users.googleauth_dir }}:
     - user: root
     - group: {{ users.root_group }}
     - mode: 600
+
+{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if 'google_auth' in user %}
+{%- for svc in user['google_auth'] %}
+{%- if user.get('google_2fa', True) %}
+users_googleauth-pam-{{ svc }}-{{ name }}:
+  file.replace:
+    - name: /etc/pam.d/{{ svc }}
+    - pattern: "^@include common-auth"
+    - repl: "auth       [success=done new_authtok_reqd=done default=die]   pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
+    - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
+    - backup: .bak
+{%- endif %}
+{%- endfor %}
+{%- endif %}
+{%- endfor %}
diff --git a/users/init.sls b/users/init.sls
index 30bbda8..dcf6136 100644
--- a/users/init.sls
+++ b/users/init.sls
@@ -298,7 +298,7 @@ users_googleauth-{{ svc }}-{{ name }}:
     - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
     - user: root
     - group: {{ users.root_group }}
-    - mode: 600
+    - mode: 400
     - require:
       - pkg: users_googleauth-package
 {%- endfor %}