diff --git a/changelogs/fragments/951-ipa_user-add-userauthtype-param.yaml b/changelogs/fragments/951-ipa_user-add-userauthtype-param.yaml
new file mode 100644
index 0000000000..c13a83d3c9
--- /dev/null
+++ b/changelogs/fragments/951-ipa_user-add-userauthtype-param.yaml
@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - "ipa_user - add ``userauthtype`` option (https://github.com/ansible-collections/community.general/pull/951)."
diff --git a/plugins/modules/identity/ipa/ipa_user.py b/plugins/modules/identity/ipa/ipa_user.py
index 32b4bd0b6f..814da2840c 100644
--- a/plugins/modules/identity/ipa/ipa_user.py
+++ b/plugins/modules/identity/ipa/ipa_user.py
@@ -90,6 +90,12 @@ options:
     - Default home directory of the user.
     type: str
     version_added: '0.2.0'
+  userauthtype:
+    description:
+    - The authentication type to use for the user.
+    choices: ["password", "radius", "otp", "pkinit", "hardened"]
+    type: str
+    version_added: '1.2.0'
 extends_documentation_fragment:
 - community.general.ipa.documentation
 
@@ -139,6 +145,15 @@ EXAMPLES = r'''
     ipa_user: admin
     ipa_pass: topsecret
     update_password: on_create
+
+- name: Ensure pinky is present and using one time password authentication
+  community.general.ipa_user:
+    name: pinky
+    state: present
+    userauthtype: otp
+    ipa_host: ipa.example.com
+    ipa_user: admin
+    ipa_pass: topsecret
 '''
 
 RETURN = r'''
@@ -182,7 +197,8 @@ class UserIPAClient(IPAClient):
 
 def get_user_dict(displayname=None, givenname=None, krbpasswordexpiration=None, loginshell=None,
                   mail=None, nsaccountlock=False, sn=None, sshpubkey=None, telephonenumber=None,
-                  title=None, userpassword=None, gidnumber=None, uidnumber=None, homedirectory=None):
+                  title=None, userpassword=None, gidnumber=None, uidnumber=None, homedirectory=None,
+                  userauthtype=None):
     user = {}
     if displayname is not None:
         user['displayname'] = displayname
@@ -211,6 +227,8 @@ def get_user_dict(displayname=None, givenname=None, krbpasswordexpiration=None,
         user['uidnumber'] = uidnumber
     if homedirectory is not None:
         user['homedirectory'] = homedirectory
+    if userauthtype is not None:
+        user['ipauserauthtype'] = userauthtype
 
     return user
 
@@ -293,7 +311,8 @@ def ensure(module, client):
                                 telephonenumber=module.params['telephonenumber'], title=module.params['title'],
                                 userpassword=module.params['password'],
                                 gidnumber=module.params.get('gidnumber'), uidnumber=module.params.get('uidnumber'),
-                                homedirectory=module.params.get('homedirectory'))
+                                homedirectory=module.params.get('homedirectory'),
+                                userauthtype=module.params.get('userauthtype'))
 
     update_password = module.params.get('update_password')
     ipa_user = client.user_find(name=name)
@@ -340,7 +359,9 @@ def main():
                                     choices=['present', 'absent', 'enabled', 'disabled']),
                          telephonenumber=dict(type='list', elements='str'),
                          title=dict(type='str'),
-                         homedirectory=dict(type='str'))
+                         homedirectory=dict(type='str'),
+                         userauthtype=dict(type='str',
+                                           choices=['password', 'radius', 'otp', 'pkinit', 'hardened']))
 
     module = AnsibleModule(argument_spec=argument_spec,
                            supports_check_mode=True)