Thanks for the reply. I’m familiar with the topic discussing Google Authenticator two-factor authentication that you linked to, however that approach will not work for me. And since I’m on platform-6.6.4, it’s a bit more complicated than overriding AppLoginWindow#doLogin.
I was in a rush and needed to get this done before a security audit, so I coded a solution myself. I overrode DefaultApp#ConnectionStateChanged to generate a security code and store it in a session attribute. I also overrode DefaultApp#afterLoggedIn to check for that attribute and, if it exists, force a dialog where the User must enter the security code (similar to what it does when getChangePasswordAtNextLogon is true). I use a timer on that dialog to keep track of how long the page is open and, if the timeout interval is met, force logout so they will have to start the process all over again. It may not be the best approach, but it’s the best I could come up with in the allotted time.
I really got stuck on how to force the user back to the login screen upon timeout, so I ended up using the same functionality that’s used for the logout button (App#logout). However, it would be preferable to expire their session rather than log them out. It looks like you provided an answer to another topic of mine that may be relevant (Extend Session and Redirect to Login When Expired), so I’ll take a look at that and see if it helps.