Announcement Announcement Module
Collapse
No announcement yet.
Pointer for two-factor authentication Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pointer for two-factor authentication

    Hi spring-security users :-)

    can someone give some pointers for doing 2-factor authentication ?

    The workflow will be that a user will provide username+password, then will be redirected to a second form where he needs to put in a temporary one-time password which was just sent to him/her by email or sms.

    Only after that 2nd password was provided correctly, the user can go on and is fully authenticated.

    Additionally I would like to have step 2 only happen once a month or every 10th login attempt (based on data from the db), or when using a new computer/browser (cookie based).

    I understand that spring web flow could be helpful but I need some pointers or examples on how to get started.

    Thanks in advance for any help!

  • #2
    Originally posted by yglodt View Post
    Hi spring-security users :-)

    can someone give some pointers for doing 2-factor authentication ?

    The workflow will be that a user will provide username+password, then will be redirected to a second form where he needs to put in a temporary one-time password which was just sent to him/her by email or sms.

    Only after that 2nd password was provided correctly, the user can go on and is fully authenticated.

    Additionally I would like to have step 2 only happen once a month or every 10th login attempt (based on data from the db), or when using a new computer/browser (cookie based).

    I understand that spring web flow could be helpful but I need some pointers or examples on how to get started.

    Thanks in advance for any help!
    We did something like this recently. We used spring security for normal auth, but then rather then giving them ROLE_USER upon login, we gave them PRE_AUTH_USER. Then we sent them to a page to update their new credentials and had that second form, once successfully completed give them ROLE_USER.

    The additional step you described can be done with overriding userdetailsservice + making use of the expired flag.

    Comment


    • #3
      Hi and thanks for the interesting suggestion !

      To check if I got your idea:

      This means that from the 2nd page the (sms/email) code would need to be checked for validity manually, and on success we would set the roles of the logged user programmatically and redirect to the portal?

      Comment


      • #4
        Originally posted by yglodt View Post
        Hi and thanks for the interesting suggestion !

        To check if I got your idea:

        This means that from the 2nd page the (sms/email) code would need to be checked for validity manually, and on success we would set the roles of the logged user programmatically and redirect to the portal?
        that is correct

        Comment


        • #5
          Okay thanks again for your valued input !

          Comment

          Working...
          X