How to set up 2FA for user login

Fedora Linux 38 (Workstation). I’m trying set up 2fa with google-authenticator for user login. I’ve tried the gdm-password and Login files but all I can get it to do is ask for a verification code, but the code won’t work. Adding it for SSH works fine so I dont know what are files or what lines i need to change in order for login to work. Any tips/advice would be greatly appreciated.

I’ve only used it for SSH myself. But I wonder if the problem could be selinux related?

I remember noticing a special selinux rule for google authenticator.

$ grep google-authenticator /etc/selinux/targeted/contexts/files/file_contexts
/var/lib/google-authenticator(/.*)?	system_u:object_r:var_auth_t:s0

Maybe try adding a line like the following in your PAM login service configuration?

auth requisite secret=/var/lib/google-authenticator/${USER} echo_verification_code

You’ll need to make the directory first.

$ sudo mkdir /var/lib/google-authenticator
$ sudo chmod 1777 /var/lib/google-authenticator

Oh. And you’ll need to specify the location for the auth file by using google authenticator’s -s option.

For example:

$ google-authenticator -u -t -d -f -w 3 -e 0 -i "" -l "${USER}@$(hostname)" -Q utf8 -s "/var/lib/google-authenticator/${USER}"