• Recent blogs

    How to Configure 2 factor Authentication or OTP in FreeIPA

    How to Configure 2 factor Authentication or OTP  in FreeIPA


    What is OTP and 2FA?

    OTP stands for One Time Password and 2FA for two factor Authentication. OTP is available since long time. RSA then came up with hardware tokens somewhere in the 1990 which made it much more usable. The IdM solution for OTP authentication is only supported for clients running Red Hat Enterprise Linux 7.1 or later.

    One-time password (OTP) is a password valid for only one authentication session and becomes invalid after use. Unlike a traditional static password, OTP generated by an authentication token keeps changing. OTPs are used as part of two-factor authentication:
    1. The user authenticates with a traditional password.
    2. The user provides an OTP code generated by a recognized OTP token.
    Two-factor authentication is considered safer than authentication using a traditional password alone. Even if a potential intruder intercepts the OTP during login, the intercepted OTP will already be invalid by that point because it can only be used for successful authentication once.

    User-managed and Administrator-managed Tokens

    Users can manage their own tokens, or the administrator can manage their tokens for them:
    User-managed tokens
    Users have full control over user-managed tokens in Identity Management: they are allowed to create, edit, or delete their tokens.
    Administrator-managed tokens
    The administrator adds administrator-managed tokens to the users' accounts. Users themselves have read-only access for such tokens: they do not have the permission to manage or modify the tokens and they are not required to configure them in any way.

    Supported OTP Algorithms

    Identity Management supports the following two standard OTP mechanisms:
    ·       The HMAC-Based One-Time Password (HOTP) algorithm is based on a counter. HMAC stands for Hashed Message Authentication Code.
    ·       The Time-Based One-Time Password (TOTP) algorithm is an extension of HOTP to support time-based moving factor.

    Installing FreeIPA 

    Follow this article to Install and setup FreeIPA in CentOS 7 or CentOS 8.

    After adding a host to FreeIPA and adding a user to FreeIPA we will straight go to  procedure for Enabling OTP for User Logins.

    Command Line: Enabling Two Factor Authentication

    To set authentication methods globally for all users:
    1. Run the ipa config-mod --user-auth-type command. For example, to set the global authentication method to two-factor authentication:
    $ ipa config-mod --user-auth-type=otp

    To set authentication methods individually for a specified user:
    • Run the ipa user-mod --user-auth-type command. For example, to set that user will be required to use two-factor authentication:
    $ ipa user-mod user --user-auth-type=otp
            1.    Login to the FreeIPA Web UI with initial username and password provided by the Administrator.


    2.    Reset your password now providing “Current password” and New password twice.

    reset FreeIPA password

    3. Now Click “OTP tokens” and Click on “ADD” to create a Token for your User.
    FreeIPA OTP

    4. Now give a Description and Click on “ADD and Edit” button to generate a QR code.

    1.      5.  Now install an App “Free OTP from Redhat” to your mobile Device and Scan the QR code and Click “OK” to close Pop-up. 

    6.   Now Login to the Server Using your password and OTP.

    FreeIPA OTP login

    No comments