diff --git a/roles/base/tasks/crypto-policies.yml b/roles/base/tasks/crypto-policies.yml
new file mode 100644
index 0000000000..d7351ffde8
--- /dev/null
+++ b/roles/base/tasks/crypto-policies.yml
@@ -0,0 +1,10 @@
+- name: Set crypto-policy on fedora 33 and higher hosts to allow 2fa to work
+  template:
+    dest: /etc/crypto-policies/config
+    src: crypto-policies-config
+    owner: root
+    mode: 644
+  when: ansible_distribution_major_version|int >= 33
+  tags:
+  - crypto-policies
+  - base/crypto-policies
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 35a59fbb5a..f78beec184 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -581,3 +581,6 @@
   - base
   - config
   - python3alternative
+
+- name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working
+  import_tasks: crypto-policies.yml
diff --git a/roles/base/templates/crypto-policies-config b/roles/base/templates/crypto-policies-config
new file mode 100644
index 0000000000..af05e9bc61
--- /dev/null
+++ b/roles/base/templates/crypto-policies-config
@@ -0,0 +1 @@
+LEGACY