XMPP based Multi-Factor Authentication with WSO2 Identity Server 2.0

With the version 2.0 of WSO2 Identity Server, it supports multi-factor authentication for OpenIDs. WSO2 Identity Server can act as an identity provider and it can issue InfoCards and OpenIDs. With the the next version of Identity Server which is about to be released, users are benefited with a more assured authentication mechanism for their OpenIDs issued by WSO2 Identity Server.

Usually an authentication process considers only a single factor, something an user KNOWs like a password, pin number, etc. But multi-factor authentication consolidates this process further and enforces users to submit something he IS or something he HAS to prove that he is who he claims to be. Wikipedia gives a simple example to explain what multi-factor authentication is. According to FFIEC(Federal Financial Institutions Examination Council), a particular authentication process is considered as a multi-factor authentication iff at least two of these three factors (user KNOWs, user HAS, and user IS) are present in the process. With multi-factor authentication, users can expect a higher assurance as two or more factors as opposed to one factor generally delivers a higher level of authentication assurance.

“Multi-factor authentication is used every time a bank customer visits their local ATM machine. One authentication factor is the physical ATM card the customer slides into the machine. The second factor is the PIN number they enter. Without both, authentication cannot take place. This scenario illustrates the basic parts of most multi-factor authentication systems; the “something you have” + “something you know” concept.”

WSO2 Identity Server supports multi-factor authentication by using the Instant Messaging services. So in this case, the IM account of the user is considered as the entity that the user HAS. So users should prove that they do possess the IM account that they have provided when activating multi-factor authentication, in addition to providing the password/InfoCard for their OpenID.

Enabling multi-factor authentication is straight forward. Once you are logged into the IS, you will see Multi-Factor Authentication Link in the “my identity” menu on the left hand side.



Then enable multi-factor authentication by checking, “Enable XMPP based multi-factor authentication.”. Then start filling out the information required for multi-factor authentication. At the moment only the GTalk is supported as the IM server, but in future more IM providers will be supported. Provide your IM address in the username field and a PIN number. You can select, whether to promt for a PIN number in the authentication or not. You can mark your option using the check box, “Use the PIN number for authentication”. Prompting for PIN number is more stronger than the normal multi-factor authentication as it enforces to provide something you KNOW and something you HAVE in addition to the normal authentication based on something you KNOW.


After filling out all the required columns click “Add” button.


Your OpenID information is available in the InfoCard/OpenID Dashboard.


Then try to sign-in with your OpenID provided by the WSO2 IS. In this post, I am using an IS instance running on localhost.


Then it will ask for your password/InfoCard. Provide the appropriate credentials based on your sign up approach.


Then it will prompt for your PIN (If you have enabled prompting for a PIN) or for a confirmation to continue via IM. In this case I have configured the IS instance to use a GTalks account called “test” to send IMs to the OpenID users.


After that the authentication process is completed and you will be successfully logged into the system10

WSO2 Identity Server can provide with a higher security for the OpenID authentication. So it will be a valuable asset for any of the Identity Providers. Stay tuned for the latest news about WSO2 Identity Server which will offer revolutionary features in upcoming releases.

InfoCard/OpenID Dashboard


About this entry