The issue is related to #7012. When 2FA is required, ipa otptoken-del doesn't let the user delete the last active OTP token. It's a fail safe to prevent account lock out. OTP tokens are considered active when they are not disabled and are still valid (not before / not after). However FreeIPA does not validate that an user has still access to an OTP.

Scenario

A user has two token. The token securid is a physical hardware token. The second token freeotp is stored in FreeOTP Android app on a smart phone. Both tokens are neither disabled nor expired and therefore considered active.

The user has lost his securid token somewhere during lunch break. Since it might be compromised, he uses an existing Kerberos TGT to delete the token ipa otptoken-del securid. After all he has a backup OTP on his mobile phone. FreeIPA lets him delete the token because freeotp exists.

At that point, neither the user nor freeIPA are aware, that the user has lost access to the freeotp token. Perhaps he deleted the app or migrated to a new phone. Since securid has been deleted and freeotp is no longer accessible, the user has locked himself out of freeIPA.

Proposal

Before deleting an OTP, the user must proof that he is able to access any of the remaining OTP token generators. ipa otptoken-del should require a valid OTP value from another of the remaining, active OTP tokens. The cryptsetup luksKillSlot command behaves similar.

It may be a good idea to have a --force option or something similar that allows a user to delete his last token any way in case of a compromise.