This module allows users to self-register a password that will be asked after the initial login process. The password is not stored in a UserDB backend (LDAP, SQL...) but in the persistent session instead, where it can be managed through the same 2FA management tools as all other second factors.
Warning
Using this module only makes sense if the first authentication factor is NOT knowledge-based.
Passwords are stored in encrypted form, by default, the key used for encryption is the global one, set in
General Parameters » Advanced Parameters » Security » Key
However, if you store your configuration and persistent sessions in the same database, this defeats the point of encryption entirely.
It is recommended to set the password encryption key in /etc/lemonldap-ng/lemonldap-ng.ini instead:
[all]
password2fKey=changeme
All parameters are configured in “General Parameters » Second factors » Password”.