Product SiteDocumentation Site

4.4.4. Time-based One Time Password Credential Handler

This credential handler supports a username/password in conjunction with a time-based token, which is generated from time to time. This credential type allows you to enable Two-Factor authentication to your application.
Credentials can be updated as follows:
User user = BasicModel.getUser(identityManager, "jsmith");

TOTPCredential credential = new TOTPCredential("abcd1234", "my_totp_secret");

identityManager.updateCredential(user, credential);
Users can have multiple TOTP tokens, one for each device. You can provide configure tokens for a specific user device as follows:
User user = BasicModel.getUser(identityManager, "jsmith");

TOTPCredential credential = new TOTPCredential("abcd1234", "my_totp_secret");

credential.setDevice("My Cool Android Phone");

identityManager.updateCredential(user, credential);
In order to validate a credential you need to the following code:
User user = BasicModel.getUser(identityManager, "jsmith");

TOTPCredentials credential = new TOTPCredentials();

credential.setUsername(user.getLoginName());
credential.setPassword(new Password("abcd1234"));

TimeBasedOTP totp = new TimeBasedOTP();

// let's manually generate a token based on the user secret
String token = totp.generate("my_totp_secret");

credential.setToken(token);

// if you want to validate the token for a specific device
// credential.setDevice("My Cool Android Phone");

identityManager.validateCredentials(credential);

if (Status.VALID.equals(credential.getStatus()) {
  // successful validation
} else {
  // invalid credential
}

4.4.4.1. Configuration Parameters

The following table describes all configuration parameters supported by this credential handler:

Table 4.3. Configuration Parameters

Parameter Description
TOTPCredentialHandler.ALGORITHM The encryption algorithm. Defaults to HmacSHA1.
TOTPCredentialHandler.INTERVAL_SECONDS The number of seconds a token is valid. Defaults to 30 seconds.
TOTPCredentialHandler.NUMBER_DIGITS The number of digits for a token. Defaults to 6 digits.
TOTPCredentialHandler.DELAY_WINDOW the number of previous intervals that should be used to validate tokens. Defaults to 1 interval of 30 seconds.