{"id":69890,"date":"2017-10-23T19:00:45","date_gmt":"2017-10-23T16:00:45","guid":{"rendered":"https:\/\/www.javacodegeeks.com\/?p=69890"},"modified":"2017-10-23T11:51:22","modified_gmt":"2017-10-23T08:51:22","slug":"enabling-two-factor-authentication-web-application","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html","title":{"rendered":"Enabling Two-Factor Authentication For Your Web Application"},"content":{"rendered":"<p>It\u2019s almost always a good idea to support two-factor authentication (2FA), especially for back-office systems. 2FA comes in many different forms, some of which include SMS, TOTP, or even <a href=\"https:\/\/www.yubico.com\/products\/yubikey-hardware\/fido-u2f-security-key\/\">hardware tokens<\/a>.<\/p>\n<p>Enabling them requires a similar flow:<\/p>\n<ul>\n<li>The user goes to their profile page (skip this if you want to force 2fa upon registration)<\/li>\n<li>Clicks \u201cEnable two-factor authentication\u201d<\/li>\n<li>Enters some data to enable the particular 2FA method (phone number, TOTP verification code, etc.)<\/li>\n<li>Next time they login, in addition to the username and password, the login form requests the 2nd factor (verification code) and sends that along with the credentials<\/li>\n<\/ul>\n<p>I will focus on Google Authenticator, which uses a TOTP (Time-based one-time password) for generating a sequence of verification codes. The ideas is that the server and the client application share a secret key. Based on that key and on the current time, both come up with the same code. Of course, clocks are not perfectly synced, so there\u2019s a window of a few codes that the server accepts as valid. Note that if you don\u2019t trust Google\u2019s app, you can implement your own client app using the same library below (though you can see the <a href=\"https:\/\/github.com\/google\/google-authenticator\">source code<\/a> to make sure no shenanigans happen).<\/p>\n<p>How to implement that with Java (on the server)? Using the <a href=\"https:\/\/github.com\/wstrange\/GoogleAuth\">GoogleAuth library<\/a>. The flow is as follows:<\/p>\n<ul>\n<li>The user goes to their profile page<\/li>\n<li>Clicks \u201cEnable two-factor authentication\u201d<\/li>\n<li>The server generates a secret key, stores it as part of the user profile and returns a URL to a QR code<\/li>\n<li>The user scans the QR code with their Google Authenticator app thus creating a new profile in the app<\/li>\n<li>The user enters the verification code shown the app in a field that has appeared together with the QR code and clicks \u201cconfirm\u201d<\/li>\n<li>The server marks the 2FA as enabled in the user profile<\/li>\n<li>Optionally, you can give the user some \u201cscratch codes\u201d, which they can write down in case they lose their app or secret.<\/li>\n<li>If the user doesn\u2019t scan the code or doesn\u2019t verify the process, the user profile will contain just a orphaned secret key, but won\u2019t be marked as enabled<\/li>\n<li>There should be an option to later disable the 2FA from their user profile page<\/li>\n<\/ul>\n<p>The most important bit from theoretical point of view here is the sharing of the secret key. The crypto is symmetric, so both sides (the authenticator app and the server) have the same key. It is shared via a QR code that the user scans. If an attacker has control on the user\u2019s machine at that point, the secret can be leaked and thus the 2FA \u2013 abused by the attacker as well. But that\u2019s not in the threat model \u2013 in other words, if the attacker has access to the user\u2019s machine, the damage is already done anyway.<div style=\"display:inline-block; margin: 15px 0;\"> <div id=\"adngin-JavaCodeGeeks_incontent_video-0\" style=\"display:inline-block;\"><\/div> <\/div><\/p>\n<p>Note: you may see this process called either 2-step authentication or 2-factor. The \u201cfactors\u201d are: \u201csomething you know\u201d, \u201csomething you have\u201d and \u201csomething you are\u201d. You can view the TOTP as just another thing \u201cyou know\u201d, but you can also view the phone with the securely stored secret key as something \u201cyou have\u201d. I don\u2019t insist on either terminology in this particular case.<\/p>\n<p>Upon login, the flow is as follows:<\/p>\n<ul>\n<li>The user enters username and password and clicks \u201cLogin\u201d<\/li>\n<li>Using an AJAX request the page asks the server whether this email has 2FA enabled<\/li>\n<li>If 2FA is not enabled, just submit the username &amp; password form<\/li>\n<li>If 2FA is enabled, the login form is not submitted, but instead an additional field is shown to let the user input the verification code from the authenticator app<\/li>\n<li>After the user enters the code and presses login, the form can be submitted. Either using the same login button, or a new \u201cverify\u201d button, or the verification input + button could be an entirely new screen (hiding the username\/password inputs).<\/li>\n<li>The server then checks again if the user has 2FA enabled and if yes, verifies the verification code. If it matches, login is successful. If not, login fails and the user is allowed to reenter the credentials and the verification code. Note here that you can have different responses depending on whether username\/password are wrong or in case the code is wrong. You can also attempt to login prior to even showing the verification code input. That way is arguably better, because that way you don\u2019t reveal to a potential attacker that the user uses 2FA.<\/li>\n<\/ul>\n<p>While I\u2019m speaking of username and password, that can apply to any other authentication method. After you get a success confirmation from an OAuth \/ OpenID Connect \/ SAML provider, or after you can a token from <a href=\"https:\/\/techblog.bozho.net\/securelogin-java-web-applications\/\">SecureLogin<\/a>, you can request the second factor (code).<\/p>\n<p>In code, the above processes look as follows (using Spring MVC; I\u2019ve merged the controller and service layer for brevity. You can replace the @AuthenticatedPrincipal bit with your way of supplying the currently logged in user details to the controllers). Assuming the methods are in controller mapped to \u201c\/user\/\u201d:<\/p>\n<pre class=\"brush:java\">@RequestMapping(value = \"\/init2fa\", method = RequestMethod.POST)\r\n@ResponseBody\r\npublic String initTwoFactorAuth(@AuthenticationPrincipal LoginAuthenticationToken token) {\r\n    User user = getLoggedInUser(token);\r\n    GoogleAuthenticatorKey googleAuthenticatorKey = googleAuthenticator.createCredentials();\r\n    user.setTwoFactorAuthKey(googleAuthenticatorKey.getKey());\r\n    dao.update(user);\r\n    return GoogleAuthenticatorQRGenerator.getOtpAuthURL(GOOGLE_AUTH_ISSUER, email, googleAuthenticatorKey);\r\n}\r\n\r\n@RequestMapping(value = \"\/confirm2fa\", method = RequestMethod.POST)\r\n@ResponseBody\r\npublic boolean confirmTwoFactorAuth(@AuthenticationPrincipal LoginAuthenticationToken token, @RequestParam(\"code\") int code) {\r\n    User user = getLoggedInUser(token);\r\n    boolean result = googleAuthenticator.authorize(user.getTwoFactorAuthKey(), code);\r\n    user.setTwoFactorAuthEnabled(result);\r\n    dao.update(user);\r\n    return result;\r\n}\r\n\r\n@RequestMapping(value = \"\/disable2fa\", method = RequestMethod.GET)\r\n@ResponseBody\r\npublic void disableTwoFactorAuth(@AuthenticationPrincipal LoginAuthenticationToken token) {\r\n    User user = getLoggedInUser(token);\r\n    user.setTwoFactorAuthKey(null);\r\n    user.setTwoFactorAuthEnabled(false);\r\n    dao.update(user);\r\n}\r\n\r\n@RequestMapping(value = \"\/requires2fa\", method = RequestMethod.POST)\r\n@ResponseBody\r\npublic boolean login(@RequestParam(\"email\") String email) {\r\n    \/\/ TODO consider verifying the password here in order not to reveal that a given user uses 2FA\r\n    return userService.getUserDetailsByEmail(email).isTwoFactorAuthEnabled();\r\n}<\/pre>\n<p>The QR code generation uses a Google\u2019s service, which technically gives Google the secret key as well. I doubt they store it in addition to generating the QR code, but if you don\u2019t trust them, you can implement your own QR code generator, <a href=\"https:\/\/stackoverflow.com\/questions\/7195007\/what-is-the-best-java-qr-code-generator-library\">it should not be hard to generate a QR code<\/a> yourself.<\/p>\n<p>On the client side it\u2019s simple AJAX requests to the above methods (sidenote: I kind of feel the term AJAX is no longer trendy, but I don\u2019t know how to call them. Async? Background? Javascript?).<\/p>\n<pre class=\"brush:java\">$(\"#two-fa-init\").click(function() {\r\n    $.post(\"\/user\/init2fa\", function(qrImage) {\r\n\t$(\"#two-fa-verification\").show();\r\n\t$(\"#two-fa-qr\").prepend($('&lt;img&gt;',{id:'qr',src:qrImage}));\r\n\t$(\"#two-fa-init\").hide();\r\n    });\r\n});\r\n\r\n$(\"#two-fa-confirm\").click(function() {\r\n    var verificationCode = $(\"#verificationCode\").val().replace(\/ \/g,'')\r\n    $.post(\"\/user\/confirm2fa?code=\" + verificationCode, function() {\r\n       $(\"#two-fa-verification\").hide();\r\n       $(\"#two-fa-qr\").hide();\r\n       $.notify(\"Successfully enabled two-factor authentication\", \"success\");\r\n       $(\"#two-fa-message\").html(\"Successfully enabled\");\r\n    });\r\n});\r\n\r\n$(\"#two-fa-disable\").click(function() {\r\n    $.post(\"\/user\/disable2fa\", function(qrImage) {\r\n       window.location.reload();\r\n    });\r\n});<\/pre>\n<p>The login form code depends very much on the existing login form you are using, but the point is to call the \/requires2fa with the email (and password) to check if 2FA is enabled and then show a verification code input.<\/p>\n<p>Overall, the implementation if two-factor authentication is simple and I\u2019d recommend it for most systems, where security is more important than simplicity of the user experience.<\/p>\n<div class=\"attribution\">\n<table>\n<tbody>\n<tr>\n<td>Published on Java Code Geeks with permission by Bozhidar Bozhanov, partner at our <a href=\"http:\/\/www.javacodegeeks.com\/join-us\/jcg\/\" target=\"_blank\" rel=\"noopener\">JCG program<\/a>. See the original article here: <a href=\"https:\/\/techblog.bozho.net\/enabling-two-factor-authentication-web-application\/\" target=\"_blank\" rel=\"noopener\">Enabling Two-Factor Authentication For Your Web Application<\/a><\/p>\n<p>Opinions expressed by Java Code Geeks contributors are their own.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>It\u2019s almost always a good idea to support two-factor authentication (2FA), especially for back-office systems. 2FA comes in many different forms, some of which include SMS, TOTP, or even hardware tokens. Enabling them requires a similar flow: The user goes to their profile page (skip this if you want to force 2fa upon registration) Clicks &hellip;<\/p>\n","protected":false},"author":55,"featured_media":112,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-69890","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Enabling Two-Factor Authentication For Your Web Application - Java Code Geeks<\/title>\n<meta name=\"description\" content=\"It\u2019s almost always a good idea to support two-factor authentication (2FA), especially for back-office systems. 2FA comes in many different forms, some of\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Enabling Two-Factor Authentication For Your Web Application - Java Code Geeks\" \/>\n<meta property=\"og:description\" content=\"It\u2019s almost always a good idea to support two-factor authentication (2FA), especially for back-office systems. 2FA comes in many different forms, some of\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html\" \/>\n<meta property=\"og:site_name\" content=\"Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:published_time\" content=\"2017-10-23T16:00:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Bozhidar Bozhanov\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Bozhidar Bozhanov\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html\"},\"author\":{\"name\":\"Bozhidar Bozhanov\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/1eaacbb8d159c99fd32e6b51198a1e79\"},\"headline\":\"Enabling Two-Factor Authentication For Your Web Application\",\"datePublished\":\"2017-10-23T16:00:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html\"},\"wordCount\":1055,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/enterprise-java-logo.jpg\",\"articleSection\":[\"Enterprise Java\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html\",\"name\":\"Enabling Two-Factor Authentication For Your Web Application - Java Code Geeks\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/enterprise-java-logo.jpg\",\"datePublished\":\"2017-10-23T16:00:45+00:00\",\"description\":\"It\u2019s almost always a good idea to support two-factor authentication (2FA), especially for back-office systems. 2FA comes in many different forms, some of\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html#primaryimage\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/enterprise-java-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/enterprise-java-logo.jpg\",\"width\":150,\"height\":150,\"caption\":\"java-interview-questions-answers\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2017\\\/10\\\/enabling-two-factor-authentication-web-application.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\\\/enterprise-java\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Enabling Two-Factor Authentication For Your Web Application\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Developers Resource Center\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.javacodegeeks.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/javacodegeeks\",\"https:\\\/\\\/x.com\\\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/1eaacbb8d159c99fd32e6b51198a1e79\",\"name\":\"Bozhidar Bozhanov\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/bozhidar.bozhanov.jpg\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/bozhidar.bozhanov.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/bozhidar.bozhanov.jpg\",\"caption\":\"Bozhidar Bozhanov\"},\"description\":\"Senior Java developer, one of the top stackoverflow users, fluent with Java and Java technology stacks - Spring, JPA, JavaEE, as well as Android, Scala and any framework you throw at him. creator of Computoser - an algorithmic music composer. Worked on telecom projects, e-government and large-scale online recruitment and navigation platforms.\",\"sameAs\":[\"http:\\\/\\\/techblog.bozho.net\\\/\"],\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/author\\\/bozhidar-bozhanov\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Enabling Two-Factor Authentication For Your Web Application - Java Code Geeks","description":"It\u2019s almost always a good idea to support two-factor authentication (2FA), especially for back-office systems. 2FA comes in many different forms, some of","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html","og_locale":"en_US","og_type":"article","og_title":"Enabling Two-Factor Authentication For Your Web Application - Java Code Geeks","og_description":"It\u2019s almost always a good idea to support two-factor authentication (2FA), especially for back-office systems. 2FA comes in many different forms, some of","og_url":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html","og_site_name":"Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_published_time":"2017-10-23T16:00:45+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","type":"image\/jpeg"}],"author":"Bozhidar Bozhanov","twitter_card":"summary_large_image","twitter_creator":"@javacodegeeks","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"Bozhidar Bozhanov","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html#article","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html"},"author":{"name":"Bozhidar Bozhanov","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/1eaacbb8d159c99fd32e6b51198a1e79"},"headline":"Enabling Two-Factor Authentication For Your Web Application","datePublished":"2017-10-23T16:00:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html"},"wordCount":1055,"commentCount":2,"publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","articleSection":["Enterprise Java"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html","url":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html","name":"Enabling Two-Factor Authentication For Your Web Application - Java Code Geeks","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html#primaryimage"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","datePublished":"2017-10-23T16:00:45+00:00","description":"It\u2019s almost always a good idea to support two-factor authentication (2FA), especially for back-office systems. 2FA comes in many different forms, some of","breadcrumb":{"@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html#primaryimage","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","width":150,"height":150,"caption":"java-interview-questions-answers"},{"@type":"BreadcrumbList","@id":"https:\/\/www.javacodegeeks.com\/2017\/10\/enabling-two-factor-authentication-web-application.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"Java","item":"https:\/\/www.javacodegeeks.com\/category\/java"},{"@type":"ListItem","position":3,"name":"Enterprise Java","item":"https:\/\/www.javacodegeeks.com\/category\/java\/enterprise-java"},{"@type":"ListItem","position":4,"name":"Enabling Two-Factor Authentication For Your Web Application"}]},{"@type":"WebSite","@id":"https:\/\/www.javacodegeeks.com\/#website","url":"https:\/\/www.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Developers Resource Center","publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/www.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/1eaacbb8d159c99fd32e6b51198a1e79","name":"Bozhidar Bozhanov","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/12\/bozhidar.bozhanov.jpg","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/12\/bozhidar.bozhanov.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/12\/bozhidar.bozhanov.jpg","caption":"Bozhidar Bozhanov"},"description":"Senior Java developer, one of the top stackoverflow users, fluent with Java and Java technology stacks - Spring, JPA, JavaEE, as well as Android, Scala and any framework you throw at him. creator of Computoser - an algorithmic music composer. Worked on telecom projects, e-government and large-scale online recruitment and navigation platforms.","sameAs":["http:\/\/techblog.bozho.net\/"],"url":"https:\/\/www.javacodegeeks.com\/author\/bozhidar-bozhanov"}]}},"_links":{"self":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/69890","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=69890"}],"version-history":[{"count":0,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/69890\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media\/112"}],"wp:attachment":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=69890"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=69890"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=69890"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}