2 factor authentication at logon

Hi all. I’m am currently working out how to get a proper 2 factor authentication working during login on an app. Basically, I want to get the following result: 1-Anonymous users are getting a login screen, asking for a username and password. 2-When filled in, a MF should check if the login is valid. If so, it should check if 2FA if set up for this user. If not, the user should be logged in, but otherwise the user has to enter a 2fa code. So a input for the 2FA should apear. 3-When the 2fa code is filled in, a MF should check the provided 2fa and if correct, the user should be logged in. I got this working as described via the appstore module “AutoLogin”. However, that one is not maintained, does not work in mendix 8 and I do not know if that is secure enough (based on tokens). Other options i have found (showing 2FA page via homepage MF, “SignIn microflow for Mx7 / Mx8” module, are all based on actions AFTER logging in. So in that case, the user already has a valid user session, and any 2FA forms after that point can be easily bypassed and are therefore basically useless. An MF Action “Login” with username and password as input should do the trick, but that does not seems to be available. Anyone had a clever idea on this topic?
2 answers

Hi Rene,

Did you look into this forum post https://forum.mendix.com/link/questions/90262?

I had similar requirement for two factor authentication couple of year ago and I used Eric’s POC project from GitHub as starting point and developed on top of that to implement client specific requirements for two factor authentication. So, maybe you can also do something similar.


Hope this helps! 


Why not just use a microflow in all your role based home pages that checks the 2FA code? Imho you do not need the autologin module at all. We have a boolean that checks if the user logs in for the first time. If so show him the page to generate the 2FA  QR code. After setup and check of the code the person enters there continue to the regular login screen.

And do not forget to set that first login boolean. You can also use that boolean for a reset of the authenticator. You just reset that first login boolean again.