Shiro, Multi Factor Authentication

Question

Is there a way to implement multi factor authentication in Shiro? Can somebody give me a hint on how to implement this?

For more details: The basic idea is, that a user needs to login just as usual, using username and password, but before being actually authenticated the user also needs to enter a one-time-token he received as an SMS.

Thank you!

Answer 1

I finally solved my problem on my own, but I'm of course always open to other suggestions.

I implemented my own 2 - Factor Authentication Flow:

First of all I changed the URL of the login page, to which Shiro redirects an unauthenticated user to my own login page, that leads into the authentication mechanism. A user needs to complete two "stages" to login.

• On the first stage he/she has to provide a username and password, if these are valid, the user is redirected to the second stage of login.
• Meanwhile, a one time token has been generated and sent to the user via SMS. Also the user's authentication progress has been saved in the session (which means I remember, that stage 1 was completed successfully).
• On stage 2 the user needs to enter the token. If the token was
  • not valid or the number of attempts (5) was exceeded
  • expired (after 5 minutes) the number of attempts to correctly enter the token exceeded 4 the user will be redirected to Stage 1 and all progress will be deleted. I
• if everything went fine, the user will be authenticated to Shiro (of course without letting him/her know)

In the end the user will be redirected to the page he/she originally requested, which still allows him/her to bookmark pages. Of course Shiro's remember-me will always be deactivated.