EDIT: Something similar to Authy would work too, if that service was i) hosted/SaaS and ii) able to send SMS messages.
- Most examples advocate RADIUS for two-factor authentication but I'm already using OpenLDAP for centralized authentication and would rather not add another local service to administer (but I'm happy calling out to Authy).
- The app itself that I want to two-factor authenticate is a Tomcat app which has it's own internal form-based authentication, which will serve as the second type of authentication (see below).
- Apache httpd* is used to reverse proxy the app (as we do for all our Tomcat apps) so I can protect the resource at that point (as I've done occasionally w/LDAP). Once httpd grants access, the Tomcat authentication will proceed.
- I didn't see any mod_auth_authy or the like on their developer site https://www.authy.com/developers — just mostly libraries for languages, so I'm not sure how best to implement this.
(*Apache httpd may be replaced by NGINX at some point, so ideally the solution suggested would carry over, but please don't refrain from suggesting Apache httpd-only solutions!)
Best Answer
Authentication sequence and requirements still not clear to me, but other than that should be easy with apache. I have implemented a similar setup using cookies.
You need to have 2 locations under the same domain (to allow access to the same cookies) - one protected , another not protected (used to display the login page and create a cookie upon successful login)
httpd config of the protected location will look like below:
The second location should contain your login page, that will handle the login and create a cookie named 2FAToken with a random session ID; it should also create a text file under /home/securefolder/sessions/ with the file name same as the session ID
Apache will read the cookie, make sure the file with the same name exists in /home/securefolder/sessions/ and allow access to your app.
But, question, why don't you do it directly with your app?