7

Is there a way to implement multi factor authentication in Shiro? Can somebody give me a hint on how to implement this?

For more details: The basic idea is, that a user needs to login just as usual, using username and password, but before being actually authenticated the user also needs to enter a one-time-token he received as an SMS.

Thank you!

RedSonja
  • 350
  • 1
  • 13
  • No idea? Anybody? I would also be content with a tip where I would need to "plug in" my own implementation of multifactor authentication, so it could work together with Shiro! – RedSonja Sep 02 '13 at 09:48

1 Answers1

6

I finally solved my problem on my own, but I'm of course always open to other suggestions.

I implemented my own 2 - Factor Authentication Flow:

First of all I changed the URL of the login page, to which Shiro redirects an unauthenticated user to my own login page, that leads into the authentication mechanism. A user needs to complete two "stages" to login.

  • On the first stage he/she has to provide a username and password, if these are valid, the user is redirected to the second stage of login.
  • Meanwhile, a one time token has been generated and sent to the user via SMS. Also the user's authentication progress has been saved in the session (which means I remember, that stage 1 was completed successfully).
  • On stage 2 the user needs to enter the token. If the token was
    • not valid or the number of attempts (5) was exceeded
    • expired (after 5 minutes) the number of attempts to correctly enter the token exceeded 4 the user will be redirected to Stage 1 and all progress will be deleted. I
  • if everything went fine, the user will be authenticated to Shiro (of course without letting him/her know)

In the end the user will be redirected to the page he/she originally requested, which still allows him/her to bookmark pages. Of course Shiro's remember-me will always be deactivated.

RedSonja
  • 350
  • 1
  • 13
  • 1
    Is there any code available that implements this behavior? – Paulo Pires Feb 14 '14 at 11:19
  • @PauloPires I'm sorry, I don't really have freely available code, I implemented this during an internship. But the implementation of the procedure itself is not that hard, you just need to figure out how you can make it work together with Shiro. After you are finished with the authentication just call the corresponding function in shiro. – RedSonja Feb 14 '14 at 17:50
  • @Sonja Thanks for sharing your method anyway! This will help me probably. So do you authenticate the username and password in the first stage using Shiro? From this article by Les Hazlewood, he says "This (multi-stage authentication) has been accomplished in Shiro-based applications however by the application collecting all required information up front and then interacting with Shiro." It seems best to do it your way, authenticate the username/password before doing a second stage. By the way I am just curious, how did you use SMS? – Michael K Jun 10 '14 at 21:43
  • @mikato thanks for you feedback, I hope my answer helped you! There are some reputable providers that offer contracts for SMS being sent from applications. They usually also provide an API to communicate with their servers. I used websms.at, which is an Austrian service, so I'm not sure if this will help you. – RedSonja Jun 12 '14 at 11:07