Is there an app which will accept a user_id and password, and then require an answer to a secret question to complete the login? I've been trying to this by dynamically changing the role of the logged in user, but I gather this can't be done straightforwardly.
Jim Longstaff (lecturer)
I've done something similar, but with SMS authentication. The process I used was:
Create a custom log in action
When the user logs in, assign a specific user role for authentication (no other rights)
Let the user enter the additional information
If correct, redirect the user to a request handler
In the request handler, give the user all his normal application roles and create a new session
To make this work, you need to store your normal user roles in a different relation than System.UserRoles, because you will be setting the UserRoles association to a specific user role for authentication.
Furthermore, this doesn't really add security: one or two passwords doesn't really add anything security wise. To improve security, you should add a random token (e.g. SMS code or Google authentication code).