Question

Two-stage login with a secret question?

0

Is there an app which will accept a user_id and password, and then require an answer to a secret question to complete the login? I've been trying to this by dynamically changing the role of the logged in user, but I gather this can't be done straightforwardly.

asked 2015-11-28

Jim Longstaff (lecturer)

1 answers

Rom van Arendonk · Answer 1 · 2015-11-28

I've done something similar, but with SMS authentication. The process I used was:

Create a custom log in action
When the user logs in, assign a specific user role for authentication (no other rights)
Let the user enter the additional information
If correct, redirect the user to a request handler
In the request handler, give the user all his normal application roles and create a new session

To make this work, you need to store your normal user roles in a different relation than System.UserRoles, because you will be setting the UserRoles association to a specific user role for authentication.

Furthermore, this doesn't really add security: one or two passwords doesn't really add anything security wise. To improve security, you should add a random token (e.g. SMS code or Google authentication code).