My project is using platform-6.6.4, and I have a requirement to implement multi-factor authentication. Basic login procedure must be as follows:
- User enters login and password as usual on the login page.
- Once that information is verified, the system generates a random token and sends it to the User. Another field/page (not sure what the best approach is) is displayed, allowing the User to enter the token.
- If the token is correct, proceed with session creation.
I’ve dug into the code and it appears that the custom logic needs to be added to the middle of LoginWorkerBean.login(). After a successful call to passwordEncryption.checkPassword(), I would need to perform the token generation and either navigate to another page and/or update the login page so the User can enter the token. Then I would need to verify the token and continue on with the login process.
I did a lot of research, but I’m not sure if this is actually the best approach… is it? If not, what is the best way to implement this functionality? I know that login functionality has been changed in a recent release, would it be easier to implement if I upgraded?
Assuming my analysis led me to the right approach, I’m not sure how to update the UI accordingly… any guidance would be greatly appreciated.