Multi-factor authentication

I’m running KDE 5.24.6 on RHEL 9.1 (with gdm) inside a corporate network. I installed it from EPEL9 and everything seems to work well. We have krb5_use_fast = try in /etc/sssd/sssd.conf. With this configuration, users who were issued a hardware key will be prompted (most of the time…) for their PIN and one-time password from the key, but with the “try” setting, could also be prompted for their password. This seems to be related to the network latency on the system when it talks to our Kerberos servers. For example, when I’m on VPN, I get a password prompt more often than an OTP prompt, etc. We configure the OTP prompt text in a [prompting/2fa] section in sssd.conf.
When my screen locks, I need to enter a credential to unlock it. The prompt text is always “Password”, but my PIN+OTP will unlock the screen most of the time. But since the prompt doesn’t distinguish between Password and OTP Token, I don’t know for sure which one to enter. Is there any way to configure this somewhere?


Paul M.

We’ve recently started using PIV-D credentials (on a USB device) and the same applies here, where the unlock screen always asks for a password and not the PIV-D PIN.

At the moment, the lock screen UI is not ideal when using alternate authentication methods since the password field doesn’t get hidden when it won’t work. You can see this with fingerprint authentication too. It’s something we need to work on.