Why Add 2FA to Your Fedora System?
If you’re a Linux user, you already value control and security. But even the strongest password can be compromised. Two-Factor Authentication (2FA) adds an extra layer of protection to your Fedora machine by requiring a time-based one-time password (TOTP) from an app like Google Authenticator or Authy — ensuring that only you can log in, even if someone gets your password.
In this guide, we’ll walk you through enabling 2FA for both graphical logins (LightDM/GDM) and TTY/console logins on Fedora.
What You’ll Need
- A Fedora Linux machine (Workstation or Server)
- A smartphone with Google Authenticator, Authy, or similar
- Root access
Step 1: Install the Google Authenticator PAM Module
Open your terminal and run:
sudo dnf install -y google-authenticatorStep 2: Generate a TOTP Secret for Your User
Instead of using ~/.google_authenticator in your home folder (which causes permission issues), we’ll store secrets in a secure system path.
Run the following as root:
mkdir -p /var/lib/google-authenticator
chmod 1777 /var/lib/google-authenticator
restorecon -v /var/lib/google-authenticatorThen generate your 2FA secret:
google-authenticator -u -t -d -f -w 3 -e 0 -i "" -l $(whoami)@$(hostname) -Q utf8 -s /var/lib/google-authenticator/$(whoami)- Scan the QR code with your app.
- Save the backup codes provided.
Step 2.5: (Recommended) Open a Root Shell on a Second TTY
Before you make changes to PAM (which controls login behavior), it’s a good idea to open a backup terminal session — just in case something goes wrong and you can’t log in.
- Press
Ctrl + Alt + F3to switch to a second TTY. - Log in with your username and password.
- Become root:
sudo -iNow leave this session open. If something breaks while editing PAM, you can use this terminal to revert the changes:
nano /etc/pam.d/lightdm
# or
nano /etc/pam.d/loginThis gives you a fallback way in — super important when you’re locking down login mechanisms.
Step 3: Configure PAM for LightDM or Login
To require a TOTP code on login, edit the PAM config files:
For graphical login (LightDM):
sudo nano /etc/pam.d/lightdmAdd this line before auth include postlogin:
auth required pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}For TTY login (Ctrl+Alt+F3, etc.):
sudo nano /etc/pam.d/loginInsert the same line near the top:
auth required pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}Step 4: Test It!
- Press
Ctrl+Alt+F3to access a TTY session. - Try logging in — you should be prompted for both your password and a 2FA code.
- Restart LightDM (optional):
sudo systemctl restart lightdmOptional: Enforce 2FA Only for Certain Users
Instead of enabling it for all users, you can use conditions like:
auth [success=1 default=ignore] pam_succeed_if.so user = your_username
auth required pam_google_authenticator.so secret=/var/lib/google-authenticator/your_usernameAsk us in the comments if you want a step-by-step guide for that!
You’re Done!
You’ve now added rock-solid 2FA protection to your Fedora login. Whether you’re on a laptop, a home server, or a cloud VM, this is one of the easiest ways to reduce risk.
Security-conscious, Linux-strong. That’s the Techlino way.
I’m a software engineer with roots in embedded systems and a growing focus on DevOps and self-hosted infrastructure. CKA certified, CCNA background, and a homelab that never sleeps — running Proxmox, Kubernetes, Docker, Coolify, and more. On techlino.net I share practical guides on Linux, virtualization, and infrastructure built from real experience.