Changing default login behavior (2FA/Password expiry)

Hi, I’m currently working on a PoC to modify the default login behavior; however, I’m unsure whether this is the right approach. What I want to achieve: When a user enters a username and password, the user information is retrieved; then there are three options: 1) when the account is set to require 2FA, an extra field is presented to enter the 2FA code. The 2FA code is then verified and if it all matches, the user is logged in. 2) In a similar way, the password age is checked. If the password is too old, the user needs to provide a new one on logon 3) None of the above applies: the user is logged in as usual I got a working prototype based on the modified login form widget (, however, this one seems to rely on a REST service which sends a 200 (login ok and no 2FA/password change needed), 202: extra information is needed (2FA token) or 401 (password not accepted, as it has been expired). It doesn't feel too secure to rely on a REST call to trigger different responses. Secondly, it relies on having anonymous user setup (with a different sign in page). Homepage – default: HOME Homepage override for anonymous user: LOGIN Sign-in page: LOGIN If I only have the sign in page set (so no override for anonymous), the sign in page is ignored and the homepage for all users is shown (what purpose does the sign in page have if it’s ignored?). So is this the approach I should take? I also read about overriding the login behavior (by adding a LoginActionListener) (like in the app SignIn microflow for Mx7 / Mx8). I don’t see how it can help me extend the login behavior like I want (extra parameters like token and new password). It works in the way it executes the custom java code and in the end call a microflow, but I don’t see how it will present the user with a new option on the login page. Or are there other approaches I can explore? Can I extend the mx.login function (static) login(username, password, onSuccess, onError) to accept more than username/password? Or can I make the sign in widget approach more secure?
1 answers

Hi Alex,

You could take a look at the AutoLogin module and (ab)use that logic:

  1. On login page you can check if the users has entered the correct credentials (JVA_FindMember will give you a boolean).
  2. If the user needs 2FA, handle it ;-) 
  3. Finally you could do that check and use the AutoLogin functionality (you already checked if the user entered the correct credentials). (see the AutoLogin module how to do that).


You need to update the AutoLogin module to 7.23+ yourself and update the Javascript Snippet ( to get it working in Mx8.

Maybe you can try something like this?