2 factor authentication – Token validity

This topic has 2 replies, 2 voices, and was last updated 6 years, 2 months ago by sr.

  • Author
  • #11758


    We have a requirement for configuring 2 factor authentication using OpenAM.
    Stage1 Auth: LDAP auth
    Stage2 Auth: using OTP
    We have configured the authentication chain in OpenAM13 with auth modules for LDAP (as required) & OAuthHOTP (as required) and it works fine as OOTB behaviour, i.e. every time a user tries to log in, he is prompted to first enter his LDAP credentials and then verify the OTP sent to him via email.

    However, our requirement is, that the OTP generated should remain valid for 2 days and
    when a user who has once verified its OTP, tries to login again within 2 days, he should not be prompted to enter the OTP again.

    Any pointers to achieve this would be highly helpful.

     Neil Madden


    You should be able to configure the OTP validation length to 2880 minutes to allow them to be valid for 2 days.

    To allow a user to login for the next 2 days after using the OTP you can use the Adaptive Risk module as Sufficient before the HOTP module and activate the last login time condition. Note that this stores the last login time in an encrypted cookie on the client so will be unique to that client. Otherwise you could achieve the same with a scripted auth module that checks the last login time via an attribute in the user profile.


    Thanks Neil! I’ll try the suggested approach & update if it works fine for us.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?