Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Shiro, Multi Factor Authentication

Is there a way to implement multi factor authentication in Shiro? Can somebody give me a hint on how to implement this?

For more details: The basic idea is, that a user needs to login just as usual, using username and password, but before being actually authenticated the user also needs to enter a one-time-token he received as an SMS.

Thank you!

like image 674
RedSonja Avatar asked Aug 28 '13 10:08

RedSonja


People also ask

What is Shiro authentication?

May 11, 2020. 4 MIN READ. Apache Shiro is a Java security framework that can perform authentication, authorization, session management, along with a host of other features for building secure applications.


1 Answers

I finally solved my problem on my own, but I'm of course always open to other suggestions.

I implemented my own 2 - Factor Authentication Flow:

First of all I changed the URL of the login page, to which Shiro redirects an unauthenticated user to my own login page, that leads into the authentication mechanism. A user needs to complete two "stages" to login.

  • On the first stage he/she has to provide a username and password, if these are valid, the user is redirected to the second stage of login.
  • Meanwhile, a one time token has been generated and sent to the user via SMS. Also the user's authentication progress has been saved in the session (which means I remember, that stage 1 was completed successfully).
  • On stage 2 the user needs to enter the token. If the token was
    • not valid or the number of attempts (5) was exceeded
    • expired (after 5 minutes) the number of attempts to correctly enter the token exceeded 4 the user will be redirected to Stage 1 and all progress will be deleted. I
  • if everything went fine, the user will be authenticated to Shiro (of course without letting him/her know)

In the end the user will be redirected to the page he/she originally requested, which still allows him/her to bookmark pages. Of course Shiro's remember-me will always be deactivated.

like image 157
RedSonja Avatar answered Oct 02 '22 19:10

RedSonja