Two factor authentication

The Fedora account system frontend (noggin) allows for users to enroll otp token(s). See for end user documentation.

Otp tokens are then stored and managed in IPA backend.

Users who enroll a otp are then required to append it to their password or add it in a seperate field (if available) whenever they use their Fedora account system login.

Users who enroll a otp are also prohibited from removing the last otp they have enabled on their account. This is to prevent someone from removing the last otp to allow password only access to resources like sudo. See for discussion.

For this reason it’s advised to enroll multipule otp tokens, and/or to backup these tokens in case of device breakage/failure/loss.


Sometimes users will loose or otherwise no longer have access to their last otp and will need it to be cleared to allow them to login again and set a new one. These requests are sent into (Be sure to 'reply all' when processing these so other sysadmin-main members know they are processed)

Admins need to verify the users identity before processing these requests.

Including, but not limited to:

  • user sends gpg signed email with gpg key attached to their Fedora account

  • user can ssh to with the ssh private key associated with a ssh public key associated with their Fedora account

  • rover verification (in case of Red Hat employee).

  • Video or in person meeting with admin who knows their identity on sight.

Additionally, users only in ipausers group can have their token cleared as they don’t have access to much of anything (yet).

To clear a token, admin should:

  • login to

  • kinit admin@FEDORAPROJECT.ORG (enter the admin password)

  • ipa otptoken-find --owner <username>

  • ipa otptoken-del <token uuid from previous step>

Or alternately, admin can use the ipa web ui: