MFA Log-in with Yubikey

Storable · November 29, 2025, 12:29am

Today I was started to setting up my Qubes with the MFA using the Yubikey following the guides that are written on the official documentation Multi-factor Login — Qubes OS Documentation.

After setting up and following the guide, I can’t log-in anymore, my user password doesn’t work, and the password I setting up for for yubikey too. Honestly, there’s nothing else to say.

It is possible to remove the guide before other users can lost their data? Thank you…

Zrubi · November 29, 2025, 1:22am

How you lost your data??
You ‘just’ locked yourself out…

Which can be fixed easily by:
adding init=/bin/bash rw to the linux parameters in GRUB, it will boot the system into a root shell with write access.

If you want to help others, then:

specify what part of that guide you have tried to follow… There are multiple sections with different goals.
make sure if the guide is wrong, and not just you made some mistake…
check your logs to reveal the root cause of your lockout.
worst case: restore your system from backup. As the guide suggested you to prepare one before you start

Storable · November 29, 2025, 8:40am

Losting my data is the consequence of locked myself out. I already tried the command that you are written and didn’t work (as logical should be).

I already specified the section that I follow… if I’m talking about MFA with Yubikey what part should be if not the Yubikey part?
I don’t think so… I just followed that the guide said… I don’t think I made up some mistake.
Checking the log to reveal the root cause of your lockout… really?
I don’t know if the other parts of the guide said that, but on the Yubikey part didn’t even mention that.

However, thank you for the help…

Looking through the forum, I’m not the only one who has had this problem. Here

My question is… why the guide don’t warn about the possible consequences? It is look like that you buy a car and on the documentation of the car it is written “You can go 120mph” but when you reach the 120mph the engine it blow up.

solene · November 29, 2025, 9:05am

I can’t tell about the guide itself but there is definitely a way to recover your data! Boot a live usb of Linux, unlock your qubes disk if encrypted, mount it and either rollback changes in /etc or explore the Qubes data from the lvm volume group. We can help, really.

Storable · November 29, 2025, 10:59am

Thanks for the idea, I hadn’t even thought that it could be recovered in this way.

If anyone finds themselves in the same situation as me in the future, I followed this guide (even though part of it doesn’t work). Here

Mount the encrypted disk, find where the yubikey file are stored among all of partitions, to simplify the process just run:

find / -name yubikey

Restore back the yubikey file(/etc/pam.d/yubikey) to the original state:
auth [default=ignore success=done] pam_exec.so expose_authtok quiet /usr/bin/yk-auth

and inside the service configuration of pam (directory: /etc/pam.d/) delete the line you had added during the setup:

auth include yubikey

Now you can boot up on Qubes without Yubikey and delete all the configuration related of yubikey. Thanks a lot @solene

solene · November 29, 2025, 11:05am

I’m glad you were able to restore your system

I’ll try to figure what went wrong in various cases and replicate on my own setup. If it fails 100% of the time, we should indeed do something on the documentation.

Storable · November 29, 2025, 11:05am

I will setup on my second drive another Qubes OS, so I would perform various test and find a way to work. A warning should be added to the documentation so that others do not find themselves in the same situation as me.