Second Factors

Two-Factor Authentication (as known as 2FA) is a kind (subset) of multi-factor authentication. It is a method to confirm a user’s claimed identity by using a combination of two different factors between:

  1. something they know (login / password, …)

  2. something they have (Webauthn Key, smartphone, …)

  3. something they are (biometrics like fingerprints, …)

Since 2.0, LL::NG provides some second factor plugins that can be used for completing authentication module with 2FA:

Second factors that can be registered by the user:

Second factors that rely on external systems:

The E-Mail, External and REST 2F modules may be declared multiple times with different sets of parameters.

Self-care on Portal

User may register second factors themselves on the Portal by using the 2FA Manager.

The link will be displayed if at least one SFA module is enabled. You can set a rule to display or not the link.

Registration on first use

If you want to force a 2F registration on first login, you can use the Force 2FA registration at login option.

You can use a rule to enable this behavior only for some users.

Session upgrade through 2FA


If you enable the Use 2FA for session upgrade option, second factor will only be asked on login if the target application requires an authentication level that is strictly higher than the one obtained by the Authentication backend (first factor).

The session upgrade mechanism will only require the second factor step, instead of doing a complete reauthentication.


You can disable the upgrade confirmation by setting on the Skip upgrade confirmation option.

Go in Manager, General Parameters » Advanced parameters » Portal redirections.

Login timeout

Allowed time for the user to authenticate using their second factor. By default it is set to 2 minutes, but some complex second factor types (TOTP, email…) may require more time to be used.

Registration timeout

Allowed time for the user to register their new second factor. By default it is set to 2 minutes, but some complex second factor types (TOTP…) may require more time to be registered.

Allowed retries

You can allow users to retry entering their second factor multiple times. By default, users get only one chance, and must reauthenticate if they fail to input their second factor correctly on the first try.

Second factor expiration

You can display a message if an expired second factor has been removed by enabling Display a message if an expired SF is removed option or setting a rule. SF name(s) or number of removed SF can be displayed in message BODY by using _nameSF_ or _removedSF_ respectively.

Providing tokens from an external source

If you do not want to use self-registration features for Webauthn, TOTP and so on, you can set devices by yourself (in your LDAP server for example) and map it to _2fDevices attribute. _2fDevices is a JSON array that contains device descriptions :

[ {"type" : "TOTP", "name" : "MyTOTP", …}, {<other_device>}, …]

TOTP Device

{"name" : "MyTOTP" , "type" : "TOTP" , "_secret" : "########" , "epoch" : "1523817955"}

Yubico OTP Device

{"name" : "MyYubikey" , "type" : "UBK" , "_yubikey" : "########" , "epoch" : "1523817715"}

Developer corner

To develop a new 2FA plugin, read Lemonldap::NG::Portal::Main::SecondFactor (3pm) manpage. Your 2F module must be a Perl class named Lemonldap::NG::Portal::2F:://<custom_name>//. To enable it, set available2F key in your lemonldap-ng.ini file :

available2F = TOTP,<custom_name>

To enable manager Second Factor Administration Module, set enabledModules key in your lemonldap-ng.ini file :

enabledModules = conf, sessions, notifications, 2ndFA