Saturday, February 22, 2014

Two factor authentication with Spring Security

In this blog post I would like to show you how you could implement (simulate) two factor authentication with Spring Security. If you would like to jump ahead right to the code have a look at my github profile. To easily test the simple demo application I have uploaded it to heroku. Note that by default the application will use a single dyno (Heroku's term for scalable unit) and it will go to sleep after one hour of inactivity. This causes delay of a few seconds for the first request, subsequent requests will perform normally.

I mentioned "simulate" previously since the demo application turns the two factor authentication problem into a normal authentication plus authorisation problem. When valid credentials (here: email and password) are provided the PRE_AUTH_USER role is assigned to the user. With this role the user is authorised only to access the view where the verification code can be provided. If the correct verification code is provided the user will be granted with the USER role, with which all the views can be accessed.

Below you can see how easy is to configure Spring Security with the Java config introduced in version 3.2

In order to support non-security related user information, the AccountRepository is adapted to the UserDetailsService, so Spring Security can use it as an authentication source.

For the second step verification a time based one time password (TOTP) verification algorithm is used, which is described very good here.

10 comments:

James Douglas said...

Awesome that you can write out all the code for that. I am taking some html classes right now and trying to learn that. It seems very useful.

James | two factor authentication

Jak Manson said...

My cousin was telling me about this two factor authentication. He has been talking to me about it for awhile now too. I just want to learn more and more about this so I can actually talk to him.
Jak Manson | http://www.celestix.com

Jay said...

Thanks. But the Heroku links gives this error.

"Application Error
An error occurred in the application and your page could not be served. Please try again in a few moments.

If you are the application owner, check your logs for details."

Jay said...

Very useful article.

Is it possible to have all the 3 fields (username, password, verification code) in single page ? If all 3 combinations are correct then set the Authorities on SecurityContext else throw exceptions. I am able to implement till user / password combination. But I want to put a small piece of java code for the OTP (2factor authentication). But not sure where to put this piece of Java code. Should I use filters ?

Thanks
Jay

danielle aarssen said...
This comment has been removed by the author.
Dipan said...

Great article. Succinct and accurate. What helped me immensely was your github code that worked as a reference. I have used this to rollout an email based OTP solution using XML namespace configuration (since that is what was there from before).

Chandra Roy said...

Two Factor Authentication is become very necessary for the website's security. Your article give us better understanding of the 2FA verification process. It can be done through different options like Bulk SMS , Email, Voice call etc.

Elliot Thomson said...

Great article. The code help me. accurate it is.
Regards,
Elliot

john mike said...

CloudAce high quality Two-Factor Authentication solutions safeguard your network from malicious attempts and provide extra protection for company’s most sensitive information.
Two-Factor Authentication solutions


sunitha vishnu said...


It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
Android Training in Chennai
Ios Training in Chennai