Two-factor authentication


Are there any plans for providing two-factor authentication with the CUBA platform? I would like to provide additional security for my users.

I was looking at this article from Vaadin that seems appropriate but am not sure how to integrate this into the CUBA platform:

Any thoughts?

Any news on this one?


I’ve checked this approach and created a small demo where I use Google authenticator to add additional auth key check to login window. See demo sources here: GitHub - cuba-labs/two-factor-auth: Two factor auth using additional authentication code from Google Authenticator

If a user wants to enable two factor authentication then they go to Help - Settings menu and click on Two factor auth - Enable / Regenerate. Then they scan QR code using Google Authenticator mobile application (Or another authenticator app). This secret key is stored to DB, see extended User entity - ExtUser with two additional attributes: totpSecret and totpValidationCode.

After that they can log in to the system only if they enter additional Auth key to login form:

This demo uses Vaadin add-on org.vaadin.addons:qrcode:2.0.1 and com.warrenstrange:googleauth:1.1.1 library. See extended loginWindow and settings screen for implementation details.

Currently, we are not planning to include this option to the platform, but we are thinking about pluggable and generalized auth process that can be introduced in the near future.




Hi Yuriy, this is excellent - wow! I will see to get this integrated into my own application but this really is more than I was expecting.

Will also watch developments on the pluggable auth process as combining the application with federated logins would be something I’m interested in as well. Hopefully this gets into planning very soon!

Thanks again for the excellent service!

It would be very, very nice to see this integrated in a more plug-and-play fashion into the stock login screen.

2FA is fast becoming non-optional.

1 Like

@artamonov Maybe I’m misunderstanding something fundamentally here, but I thought everything in the web module is compiled to JS and run in the browser. If that is indeed the case, isn’t the code in this example problematic:

… because the TOTP secret is used in client code (browser) it would be relativly easy to retrieve for anybody knowing the username.

Of course, as I said in the first sentence, I could be completely mistaken here, but would really like if you could clarify that for me.

Hi @klaus,

You are absolutely right about being completely mistaken :smile: The Cuba platform (or more precisely, the underlying Vaadin engine) runs much of its code server-side, also the web module in which this code is placed. Only snippets and general platform code (e.g. jQuery stuff) runs on the browser.


1 Like Ok, thanks, awesome. :slight_smile:

I am also looking at building a Multi-Factor Authentication for Cuba login. In my use case, I need to verify the login of the user first, before popping up a dialog to challenge the user for the Pin code. The pin code can be a Google Auth or SMS/email OTP. Is there a way to have Cuba validate the login credentials first, but not enable the session, before sending out the OTP and ask the user for it ? Currently the login screen called dologin and the session is created. But if I open the same screen in the same browser, my challenge dialog box is by passed.


Yes, there is. We are doing something like this:

protected boolean checkCredentials(Credentials credentials) {
        try {
            return true;
        } catch (LoginException e) {
            showNotification(formatMessage("UserUnknownOrPasswordIncorrect"), NotificationType.WARNING);
            return false;

The AuthenticationService allows to do an authentication without starting a session. From the JavaDoc:

Authenticates a user and provides authentication details. Does not start session.


1 Like


I am currently building a 2FA for an application using this project as a base. However, I am trying to make a validation when enabling this feature by making the user input the verification code scanned by Google Authenticator and I am noticing 2 things:

  1. The verification code persisted on the DB does not change dynamically as on the authenticator.
  2. The generated code is never displayed on the authenticator.

This means, I can scan the QR code and get a key but that key is not the same as the verification code for the ExtUser.

Do you have any ideas on how to improve/fix that on my project?


The verification code in the database is not really used I believe, not sure. At least it works the other way around, the user provides the code which is checked by the GoogleAuthenticator service using the user secret (that one is important!).

If you are able to scan the QR code (that holds the user secret), your authenticator app should generate codes every 30 seconds automatically. The code shown should be entered and checked as described above.


1 Like

Thanks for the quick answer!
Therefore, if the DB code is not really used, is there a proper way I can do this validation after enabling the 2FA, either by redirecting to the extended login screen after the QR scan or by manually entering the code generated by the GoogleAuthenticator service?

Edit: Solved! Thank you so much!

1 Like