I am looking to implement Google Authenticator into a CakePHP application. The trick is that a user can determine whether or not they want to use it. This means that if a user is using the multi-part login, they will log in normally with their username and password. Once they have successfully submitted their correct username / password combination, they need to be redirected to the page that asks for their passcode from Google Authenticator.
How do you limit the Authentication success until AFTER they enter the passcode? I can do the redirect and everything just fine, but if they exit the passcode form and go to the site, they have already authenticated using their username / password and they can navigate through the site just fine.
I need some direction on how to shut down authentication until AFTER the passcode confirmation is successful. Any ideas?
I noticed this question is pretty old and unanswered, I also work on something similar so I'll share my two cents. Hope you've already solved this problem by now.
Your user management system should provide a session key only after the entire login process was fulfilled, this means that you should let users in only after they provide all auth data through all steps.
loginCheck() should check if user and passwords are ok, otherwise deny access
if(GAuth) should return true or false, depeding if your user uses GAuth
checkTotp should be a method to check TOTP password on client and server
sessionKey should be the token used to access protected content, stored server-side and client-side for a period of time
Or adapt this idea to your needs ... in my opinion you should accept the user in the system when he passes all authentication trials.
You could make an user form that hols user/password and passcode and process all data at once and avoid two pages.
Read more about https://www.rfc-editor.org/rfc/rfc6238