Two-stage login with a secret question?

Is there an app which will accept a user_id and password, and then require an answer to a secret question to complete the login? I've been trying to this by dynamically changing the role of the logged in user, but I gather this can't be done straightforwardly.
1 answers

I've done something similar, but with SMS authentication. The process I used was:

  • Create a custom log in action
  • When the user logs in, assign a specific user role for authentication (no other rights)
  • Let the user enter the additional information
  • If correct, redirect the user to a request handler
  • In the request handler, give the user all his normal application roles and create a new session

To make this work, you need to store your normal user roles in a different relation than System.UserRoles, because you will be setting the UserRoles association to a specific user role for authentication.

Furthermore, this doesn't really add security: one or two passwords doesn't really add anything security wise. To improve security, you should add a random token (e.g. SMS code or Google authentication code).