2 factor authentication, AuthenticatedWebSession, best practice?

[Rob Audenaerde <ro...@gmail.com>]

Hi all,

I'm looking into 2 factor authentication for my Wicket Application.

Currently, I have a simple implementation where the user prepends a code to
his password and the authenticate method uses that part as second factor.

However, I would like a nicer interface (like, for example, google uses).
In this interface, the user first enters his username and password. If they
match, the user is taken to a second login-screen where he can enter a code
/ pick an option (app/text/call) to get a code.

I want to implement something similar in Wicket (using the
AuthenticatedWebapplication), but I'm not sure how to handle the Session.

I have thought of two options:

1. On successful username/password, set a role and redirect to the
CodePage. The user is 'signedIn' in the session (but not really, so this
seems a bit hacky)
2. Create a custom SignIn page, where username and password are checked in
the backend, passed on the the CodePage, and have the CodePage call
authenticate().

But there might be better alternatives as well.

What do you think is the best approach?

-Rob