MFA for Admin Accounts

Tom-a11y204 · June 8, 2025, 9:31am

Hello,
I am trying to set up local admin accounts so that they first have to log in with their normal username/password and then log in with their TOTP token, for example.

This is already set up for normal users and works perfectly. Unfortunately, this policy does not seem to work for admin accounts.

In the policy “login_mode: privacyIDEA”
and in the further policy
“challenge_response: totp hotp yubikey webauthn | otppin: userstore | reset_all_user_tokens: true”
is configured.
This corresponds exactly to the guidelines for normal users.

What do I have to do differently so that it works like for users?

Kind regards

cornelinux · June 10, 2025, 10:50am

Please read the docs about admins:

It is not possible to add a 2nd factor to internal admins, since these are not users to privacyIDEA by intended design.
If you want to have admins with a 2nd factor, you need to start with administrative realms.

Tom-a11y204 · June 10, 2025, 2:03pm

I have already created a ‘passwdresolver’ with the local users and created the admin realm ‘localuser’ for it. In the pi.cfg the realm is included as a super user realm ‘SUPERUSER_REALM: [localuser]’.

Nevertheless, I have the problems described above. Or have I misunderstood something?