Authentication by passcode for log in

Hi Everyone, One of our customer have a requirement where they want to ask for random 3-digits out of 6-digit passcode after a user is successfully authenticated by username and password. Because they want to ask passcode after successful authentication of username and password without generating a valid logged in user session, the only way I can think of doing this is by extending the JavaScript in login form widget or create new login widget and by adding custom login java action. Just wanted to check with community if anyone has implemented similar requirement and if yes then what was their approach. Can this be implemented without custom widget and login java action development? It is appreciated if you can share ideas for implementing this.   Many thanks!    
2 answers

I started and had a Two-Factor auth (TFA) module working in early 2017, but the project it was intended for never moved beyond the concept phase.

I hope it's either close to what you need or at least inspires your solution. Here's the repository that contains a working test project:

Unfortunately, it's not documented. Here are the cliff notes:

  • The standard Mendix login handler is overridden with custom behavior:
    • if the account does not have TFA enabled (a boolean on the Account entity), the normal login process behaves normally
    • If it does have TFA enabled, you will not be able to log in
  • A custom request handler was added to support the TFA login flow
  • A custom login form widget supports the TFA workflow (informing the user a token was sent, showing a form for entering the token)
  • In the test project, you'll find a two-factor auth module with microflows to check, send, verify, and reset the TFA token
  • I had used TwilioSMS to actually send the user the TFA token, but the "send" microflow can simply be updated to suit your needs


The test project also contains "magic link" logins, where a user could be emailed a link, and that link would log them directly into their home page.


I would discuss with the client the " without generating a valid logged in user session " part. Because this could be handled in the home microflow where you do this check before opening the homepage. This could be done with little effort while the other one might be very hard or impossible. So why is an user session not allowed?