Why Add 2FA to Your Fedora System?
If you’re a Linux user, you already value control and security. But even the strongest password can be compromised. Two-Factor Authentication (2FA) adds an extra layer of protection to your Fedora machine by requiring a time-based one-time password (TOTP) from an app like Google Authenticator or Authy — ensuring that only you can log in, even if someone gets your password.
In this guide, we’ll walk you through enabling 2FA for both graphical logins (LightDM/GDM) and TTY/console logins on Fedora.
What You’ll Need
- A Fedora Linux machine (Workstation or Server)
- A smartphone with Google Authenticator, Authy, or similar
- Root access
Step 1: Install the Google Authenticator PAM Module
Open your terminal and run:
sudo dnf install -y google-authenticatorStep 2: Generate a TOTP Secret for Your User
Instead of using ~/.google_authenticator in your home folder (which causes permission issues), we’ll store secrets in a secure system path.
Run the following as root:
mkdir -p /var/lib/google-authenticator
chmod 1777 /var/lib/google-authenticator
restorecon -v /var/lib/google-authenticatorThen generate your 2FA secret:
google-authenticator -u -t -d -f -w 3 -e 0 -i "" -l $(whoami)@$(hostname) -Q utf8 -s /var/lib/google-authenticator/$(whoami)- Scan the QR code with your app.
- Save the backup codes provided.
Step 2.5: (Recommended) Open a Root Shell on a Second TTY
Before you make changes to PAM (which controls login behavior), it’s a good idea to open a backup terminal session — just in case something goes wrong and you can’t log in.
- Press
Ctrl + Alt + F3to switch to a second TTY. - Log in with your username and password.
- Become root:
sudo -iNow leave this session open. If something breaks while editing PAM, you can use this terminal to revert the changes:
nano /etc/pam.d/lightdm
# or
nano /etc/pam.d/loginThis gives you a fallback way in — super important when you’re locking down login mechanisms.
Step 3: Configure PAM for LightDM or Login
To require a TOTP code on login, edit the PAM config files:
For graphical login (LightDM):
sudo nano /etc/pam.d/lightdmAdd this line before auth include postlogin:
auth required pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}For TTY login (Ctrl+Alt+F3, etc.):
sudo nano /etc/pam.d/loginInsert the same line near the top:
auth required pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}Step 4: Test It!
- Press
Ctrl+Alt+F3to access a TTY session. - Try logging in — you should be prompted for both your password and a 2FA code.
- Restart LightDM (optional):
sudo systemctl restart lightdmOptional: Enforce 2FA Only for Certain Users
Instead of enabling it for all users, you can use conditions like:
auth [success=1 default=ignore] pam_succeed_if.so user = your_username
auth required pam_google_authenticator.so secret=/var/lib/google-authenticator/your_usernameAsk us in the comments if you want a step-by-step guide for that!
You’re Done!
You’ve now added rock-solid 2FA protection to your Fedora login. Whether you’re on a laptop, a home server, or a cloud VM, this is one of the easiest ways to reduce risk.
Security-conscious, Linux-strong. That’s the Techlino way.
Mohammad Dahamshi is a skilled Embedded Software Engineer and web developer. With experience in C/C++, Linux, WordPress, and DevOps tools, he helps businesses solve technical challenges and build reliable digital solutions. Fluent in Arabic, Hebrew, and English, he also runs Saratec, offering web design and digital marketing services.