22.2. One-Time Passwords
Important
- The user authenticates with a traditional password.
- The user provides an OTP code generated by a recognized OTP token.
Warning
- The most important security limitation is the potential vulnerability to replay attacks across the system. Replication is asynchronous, and an OTP code can therefore be reused during the replication period. A user might be able to log on to two servers at the same time. However, this vulnerability is usually difficult to exploit due to comprehensive encryption.
- It is not possible to obtain a ticket-granting ticket (TGT) using a client that does not support OTP authentication. This might affect certain use cases, such as authentication using the
mod_auth_kerbmodule or the Generic Security Services API (GSSAPI). - It is not possible to use password + OTP in the IdM solution if the FIPS mode is enabled.
22.2.1. How OTP Authentication Works in IdM
22.2.1.1. OTP Tokens Supported in IdM
Software and Hardware Tokens
User-managed and Administrator-managed Tokens
- User-managed tokens
- Users have full control over user-managed tokens in Identity Management: they are allowed to create, edit, or delete their tokens.
- Administrator-managed tokens
- The administrator adds administrator-managed tokens to the users' accounts. Users themselves have read-only access for such tokens: they do not have the permission to manage or modify the tokens and they are not required to configure them in any way.
Supported OTP Algorithms
- The HMAC-Based One-Time Password (HOTP) algorithm is based on a counter. HMAC stands for Hashed Message Authentication Code.
- The Time-Based One-Time Password (TOTP) algorithm is an extension of HOTP to support time-based moving factor.
22.2.1.2. Available OTP Authentication Methods
- Two-factor authentication (password + OTP)
- With this method, the user is always required to enter both a standard password and an OTP code.
- Password
- With this method, the user still has the option to authenticate using a standard password only.
- RADIUS proxy server authentication
- For information on configuring a RADIUS server for OTP validation, see Section 22.2.6, “Migrating from a Proprietary OTP Solution”.
Global and User-specific Authentication Methods
- By default, user-specific authentication method settings take precedence over global settings. If no authentication method is set for a user, the globally-defined methods apply.
- You can disable per-user authentication method settings for any user. This ensures IdM ignores the per-user settings and always applies the global settings for the user.
Combining Multiple Authentication Methods
- If you configure both two-factor and password authentication, the user must provide the password (first factor), but providing the OTP (second factor) is optional when using the command line:
First Factor: Second Factor (optional):
- In the web UI, the user must still provide both factors.
Note
- Kerberos will always use RADIUS, but LDAP will not. LDAP only recognizes the password and two-factor authentication methods.
- If you use an external two-factor authentication provider, use Kerberos from your applications. If you want to let users authenticate with a password only, use LDAP. It is recommended that the applications leverage Apache modules and SSSD, which allows to configure either Kerberos or LDAP.
22.2.1.3. GNOME Keyring Service Support
First factor: static_password Second factor: one-time_password
22.2.1.4. Offline Authentication with OTP
First factor: static_password Second factor: one-time_password
First factor prompt. However, note that this is not compatible with offline OTP authentication. If the user enters both factors in a single prompt, IdM will always have to contact the central authentication server when authenticating, which requires the system to be online.
Important
- The
cache_credentialsoption in the/etc/sssd/sssd.conffile is set toTrue, which enables caching the first factor password. - The first-factor static password meets the password length requirement defined in the
cache_credentials_minimal_first_factor_lengthoption set in/etc/sssd/sssd.conf. The default minimal length is 8 characters. For more information about the option, see the sssd.conf(5) man page.
krb5_store_password_if_offline option is set to true in /etc/sssd/sssd.conf, SSSD does not attempt to refresh the Kerberos ticket-granting ticket (TGT) when the system goes online again because the OTP might already be invalid at that point. To obtain a TGT in this situation, the user must authenticate again using both factors.
22.2.2. Enabling OTP Authentication
- the web UI, see the section called “Web UI: Enabling OTP Authentication”.
- the command line, see the section called “Command Line: Enabling OTP Authentication”.
Web UI: Enabling OTP Authentication
- Select → .
- In the User Options area, select the required Default user authentication types.

Figure 22.4. User Authentication Methods
- Select → , and click the name of the user to edit.
- In the Account Settings area, select the required User authentication types.

Figure 22.5. User Authentication Methods
Command Line: Enabling OTP Authentication
- Run the
ipa config-mod --user-auth-typecommand. For example, to set the global authentication method to two-factor authentication:$ ipa config-mod --user-auth-type=otp
For a list of values accepted by--user-auth-type, run theipa config-mod --helpcommand. - To disable per-user overrides, thus ensuring the global settings are not overridden with per-user settings, add the
--user-auth-type=disabledoption as well. For example, to set the global authentication method to two-factor authentication and disable per-user overrides:$ ipa config-mod --user-auth-type=otp --user-auth-type=disabled
If you do not set--user-auth-type=disabled, authentication methods configured per user take precedence over the global settings.
- Run the
ipa user-mod --user-auth-typecommand. For example, to set thatuserwill be required to use two-factor authentication:$ ipa user-mod user --user-auth-type=otp
--user-auth-type multiple times. For example, to configure both password and two-factor authentication globally for all users:
$ ipa config-mod --user-auth-type=otp --user-auth-type=password
22.2.3. Adding a User-Managed Software Token
- Log in with your standard password.
- Make sure the
FreeOTP Authenticatorapplication is installed on your mobile device. To downloadFreeOTP Authenticator, see the FreeOTP source page. - Create the software token in the IdM web UI or from the command line.
- To create the token in the web UI, click Add under the OTP tokens tab. If you are logged-in as the administrator, the OTP Tokens tab is accessible through the Authentication tab.

Figure 22.6. Adding an OTP Token for a User
- To create the token from the command line, run the
ipa otptoken-addcommand.$ ipa otptoken-add ------------------ Added OTP token "" ------------------ Unique ID: 7060091b-4e40-47fd-8354-cb32fecd548a Type: TOTP ...
For more information aboutipa otptoken-add, run the command with the--helpoption added.
- A QR code is displayed in the web UI or on the command line. Scan the QR code with
FreeOTP Authenticatorto provision the token to the mobile device.
22.2.4. Adding a User-Managed YubiKey Hardware Token
- Log in with your standard password.
- Insert your YubiKey token.
- Run the
ipa otptoken-add-yubikeycommand.- If the YubiKey has an empty slot available, the command will select the empty slot automatically.
- If no empty slot is available, you must select a slot manually using the
--slotoption.For example:$ ipa otptoken-add-yubikey --slot=2
Note that this overwrites the selected slot.
22.2.5. Adding a Token for a User as the Administrator
- Make sure you are logged-in as the administrator.
- Make sure the
FreeOTP Authenticatorapplication is installed on the mobile device. To downloadFreeOTP Authenticator, see the FreeOTP source page. - Create the software token in the IdM web UI or from the command line.
- To create the token in the web UI, select → and click at the top of the list of OTP tokens. In the Add OTP Token form, select the owner of the token.

Figure 22.7. Adding an Administrator-Managed Software Token
- To create the token from the command line, run the
ipa otptoken-addcommand with the--owneroption. For example:$ ipa otptoken-add --owner=user ------------------ Added OTP token "" ------------------ Unique ID: 5303baa8-08f9-464e-a74d-3b38de1c041d Type: TOTP ...
- A QR code is displayed in the web UI or on the command line. Scan the QR code with
FreeOTP Authenticatorto provision the token to the mobile device.
- Make sure you are logged-in as the administrator.
- Insert the YubiKey token.
- Run the
ipa otptoken-add-yubikeycommand with the--owneroption. For example:$ ipa otptoken-add-yubikey --owner=user
22.2.6. Migrating from a Proprietary OTP Solution
Note
- Make sure that the radius user authentication method is enabled. See Section 22.2.2, “Enabling OTP Authentication”.
- Run the
ipa radiusproxy-add proxy_namecommand to add a RADIUS proxy. The command prompts you for the required information. - Run the
ipa user-mod radiususer --radius=proxy_namecommand to assign a user to the added proxy. - If required, configure the user name to be sent to RADIUS by running the
ipa user-mod radiususer --radius-username=radius_usercommand.
22.2.7. Promoting the Current Credentials to Two-Factor Authentication
- Lock your screen. The default keyboard shortcut to lock the screen is Super key+L.
- Unlock your screen. When asked for credentials, use both password and OTP.

Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.