Pointer for two-factor authentication

Printable View

Oct 7th, 2012, 03:57 PM
yglodt

Pointer for two-factor authentication

Hi spring-security users :-)

can someone give some pointers for doing 2-factor authentication ?

The workflow will be that a user will provide username+password, then will be redirected to a second form where he needs to put in a temporary one-time password which was just sent to him/her by email or sms.

Only after that 2nd password was provided correctly, the user can go on and is fully authenticated.

Additionally I would like to have step 2 only happen once a month or every 10th login attempt (based on data from the db), or when using a new computer/browser (cookie based).

I understand that spring web flow could be helpful but I need some pointers or examples on how to get started.

Thanks in advance for any help!
Oct 8th, 2012, 10:59 PM
arthomps

Quote:

Originally Posted by yglodt

Hi spring-security users :-)

can someone give some pointers for doing 2-factor authentication ?

The workflow will be that a user will provide username+password, then will be redirected to a second form where he needs to put in a temporary one-time password which was just sent to him/her by email or sms.

Only after that 2nd password was provided correctly, the user can go on and is fully authenticated.

Additionally I would like to have step 2 only happen once a month or every 10th login attempt (based on data from the db), or when using a new computer/browser (cookie based).

I understand that spring web flow could be helpful but I need some pointers or examples on how to get started.

Thanks in advance for any help!

We did something like this recently. We used spring security for normal auth, but then rather then giving them ROLE_USER upon login, we gave them PRE_AUTH_USER. Then we sent them to a page to update their new credentials and had that second form, once successfully completed give them ROLE_USER.

The additional step you described can be done with overriding userdetailsservice + making use of the expired flag.
Oct 10th, 2012, 10:41 AM
yglodt

Hi and thanks for the interesting suggestion !

To check if I got your idea:

This means that from the 2nd page the (sms/email) code would need to be checked for validity manually, and on success we would set the roles of the logged user programmatically and redirect to the portal?
Oct 11th, 2012, 04:05 AM
arthomps

Quote:

Originally Posted by yglodt

Hi and thanks for the interesting suggestion !

To check if I got your idea:

This means that from the 2nd page the (sms/email) code would need to be checked for validity manually, and on success we would set the roles of the logged user programmatically and redirect to the portal?

that is correct
Oct 11th, 2012, 04:11 AM
yglodt

Okay thanks again for your valued input !