#Stormpath is Joining Okta
We are incredibly excited to announce that Stormpath is joining forces with Okta. Please visit the Migration FAQs for a detailed look at what this means for Stormpath users.
We're available to answer all questions at [email protected].
This example demonstrates a flow where an multi-factor authentication (MFA) confirmation is required after each login and before gaining access to protected pages.
In particular, it uses TOTP for MFA. And, it uses The Google Authenticator QR Code to set the shared secret. So, you'll want to grab a Google Authenticator compliant app for your smart phone.
TL;DR:
- Register for Stormpath
- Save your apiKey file (Found by following the Manage API Keys link in the admin console) to:
~/.stormpath/apiKey.properties mvn clean installmvn spring-boot:run- Browse to: http://localhost:8080
Note: Multi-Factor Authentication is only available with paid Stormpath plans. For more information please see Stormpath’s Pricing Page.
You can see this example in action at https://stormpath-mfa-example.herokuapp.com
The flow looks like this:
The diagram above is not as complex as it may seem. You can think of the left and right sides as two different flows.
On the right side of the diagram, the user has not logged in yet.
On the left side of the diagram, the use has already logged in.
Both flows ensure that (a) the user sets up MFA and (b) the user has validated the latest token code after logging in, but before getting to an authenticated page.
This example takes advantage of Stormpath's postLoginHandler that all of our integrations support.
Here's the typical flow:
-
Home Page - Unauthenticated
-
Login
-
Create Google Authenticator MFA
-
Verify MFA Code
-
Home Page - Authenticated
-
Logout
-
Login
-
Confirm Latest MFA code (No QR Code this time)
-
Home Page - Authenticated
