DIY 2Factor using OpenID Connect as the authentication API

There is no license fee for passwords. It may sound silly, but businesses are simply not used to the idea that they need to pay for authentication. Also, the idea that passwords are “dead” is crazy. Companies already manage passwords for people. However, as everyone knows, passwords alone are a recipe for disaster. So what is a domain to do if they want to add a second factor of authentication, but they don’t want to add yet another SaaS fee or annual per user license?

QR Code

Tiqr is a free, open source solution developed by SURFnet. Surfnet has published an Android and iPhone application to scan a QR code, which can be displayed on a web page. If you’re ok instructing people in your domain to use a Surfnet branded app, its a good option. Gluu offers Tiqr authentication as part of its Gluu Server subscription offering. If you want to deploy the Tiqr server yourself, it uses SimpleSAMLphp to pubish the authentication APIs, which is pretty easy to install / manage. Its also possible to perhaps customize Surfnet’s open source applications, to give the app a look and feel more appropriate for your domain.


If you can enroll a Person’s mobile device, and push a message to that device, its a very strong indicator that the person has really authorized a transaction. Red Hat has published an open source server called AeroGear Push that acts as a facade for the Apple, Google and Mozilla push networks. There is a nice diagram. Instead of having to learn the API’s of each of these networks, you can make one request such as this:

curl -u "{MobileVariantID}:{secret}"
-v -H "Accept: application/json" -H "Content-type: application/json"
-d '{
"deviceToken" : "someTokenString",
"deviceType" : "iPad",
"operatingSystem" : "iOS",
"osVersion" : "6.1.2",
"alias" : "someUsername or email adress...",
"category" : "football",
"simplePushEndpoint" : ""

The nice thing about the PUSH approach is that the app doesn’t even have to be running for the notification to work, as it is received at the OS level.


Ok, its not totally free, but at the price service providers like Callcentric sell SIP service, the cost is pretty negligible. In the Asterisk VoIP platform, you can create a “dialplan” to call a number (that you have pre-associated with the person) and read the DTMF, which could be the person pressing # or some pin number. Asterisk hooks to Java with the Asterisk-Java library, so you can keep all your actual business logic in Java, and just use Asterisk to read the DTMF, and to dial the phone number via the SIP trunk.

Browser Certificate

The usability has been terrible, so this is not something I recommend unless you work with an organization full of geeks. But you can launch your own Certificate Authority, or use a free service like for “user certificates.”

Network / Location

Used with care, the network (or if you look up the respective location of that network) can help you to identity the person. Some domains might allow one method for authentication from their office, and another for remote access. The location can be pretty specific. Some companies are remembering previous locations, and using it for authentication. However, you’ll need to read the license agreement of the api to see if your application can use it for commercial purposes. Location can also be a pretty good indicator that its NOT you… for example, LinkedIn will notify you via email if someone tries to login to your account from a foreign country.


The price of NFC stickers and tags has come way down.. in bulk, as low as $0.20 a piece. I just ordered a few from RapidNFC. NFC is both readable, and writable. There is not much room–only about 64 characters–but enough to put a URL or access token that can add security over password alone.

Browser Session Information

Cookies are also not a very strong way to a identify a person, but many consumer services use them as a “factor.” For example, when you go to Amazon, they say recognize you, and “step-up” the authentication when you place an order or edit your profile.

The Context

The best possible usability for an authentication mechanism is the one you never see. A relying party (i.e. a website) can add up all the contextual piece of information to determine if interactively authenticating the person is necessary for their respective transaction. The trendy jargon for this is “adaptive authentication.” I can’t tell you what those indicators are for your business… they may include device ids, or something specific to your service offering or product. But use ’em if you got ’em.

Publish an authentication API

Once you figured out what factors you want to use for authentication, you may want to look at OX as a way to publish a standard Oauth2 API for your authentication mechanism. This Gluu blog contains information on how to use OX Custom Authentication scripts to use Python to code the business logic. You can also watch the Gluu video on Strong Authentication.

Sample Authentication Scripts


HAVE FUN! You can DIY!