diff --git a/default.nix b/default.nix
index 30fd770..1e6bb58 100644
--- a/default.nix
+++ b/default.nix
@@ -5,6 +5,7 @@
     ./modules/baseline.nix
     ./modules/cli.nix
     ./modules/gnome.nix
+    ./modules/mfa.nix
     ./modules/phpipam.nix
     ./modules/plasma.nix
     ./modules/profiles.nix
diff --git a/hosts/neo/configuration.nix b/hosts/neo/configuration.nix
index 5ec4e97..810f195 100644
--- a/hosts/neo/configuration.nix
+++ b/hosts/neo/configuration.nix
@@ -17,7 +17,6 @@
   ];
 
   services = {
-    pcscd.enable = true;
     openssh.enable = true;
     zfs.autoSnapshot = { enable = true; monthly = 0; weekly = 0; };
   };
diff --git a/modules/mfa.nix b/modules/mfa.nix
new file mode 100644
index 0000000..5cd088c
--- /dev/null
+++ b/modules/mfa.nix
@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+let
+  pkcslib = "${pkgs.opensc}/lib/opensc-pkcs11.so";
+in
+{
+  services.pcscd.enable = true;
+  programs.ssh.startAgent = true;
+  programs.ssh.agentPKCS11Whitelist = pkcslib;
+  environment.systemPackages = [
+    pkgs.opensc
+    (pkgs.writeShellScriptBin "mfa" "exec ssh-add -s${pkcslib}")
+  ];
+
+  nixpkgs.overlays = [
+    (self: super: {
+      gnome = super.gnome // {
+        gnome-keyring = super.gnome.gnome-keyring.overrideAttrs (old: {
+          configureFlags = old.configureFlags ++ [ "--disable-ssh-agent" ];
+        });
+      };
+    })
+  ];
+
+}