July 1, 2016 at 7:58 am #11758srParticipant
We have a requirement for configuring 2 factor authentication using OpenAM.
Stage1 Auth: LDAP auth
Stage2 Auth: using OTP
We have configured the authentication chain in OpenAM13 with auth modules for LDAP (as required) & OAuthHOTP (as required) and it works fine as OOTB behaviour, i.e. every time a user tries to log in, he is prompted to first enter his LDAP credentials and then verify the OTP sent to him via email.
However, our requirement is, that the OTP generated should remain valid for 2 days and
when a user who has once verified its OTP, tries to login again within 2 days, he should not be prompted to enter the OTP again.
Any pointers to achieve this would be highly helpful.
Thanks!July 1, 2016 at 9:16 am #11761Neil MaddenParticipant
You should be able to configure the OTP validation length to 2880 minutes to allow them to be valid for 2 days.
To allow a user to login for the next 2 days after using the OTP you can use the Adaptive Risk module as Sufficient before the HOTP module and activate the last login time condition. Note that this stores the last login time in an encrypted cookie on the client so will be unique to that client. Otherwise you could achieve the same with a scripted auth module that checks the last login time via an attribute in the user profile.July 1, 2016 at 10:47 am #11762srParticipant
Thanks Neil! I’ll try the suggested approach & update if it works fine for us.
You must be logged in to reply to this topic.