Skip to Content
Author's profile photo Former Member

Multi-factor authentication, why not?

With enterprise systems moving to the cloud, security has never been so important.

As access to systems in the cloud are becoming more convenient, the more companies should strengthen access to these systems.

A few standard best practices include using strong encryption on data transit (VPN, SSL like HTTPS, etc.), multi-level firewalls, strong password policies, and more recently the emphasis of using stronger authentication mechanism like multi-factor authentication (MFA).

In recent years MFA had become popular not just to corporate but to the end-user. Thanks to Google’s Google-Authenticator (, typical web user like myself am able to better secure my Google account (Gmail, G+, etc) and even cloud providers like Amazon allows MFA to Amazon Web Services using Google-Authenticator (read IAM topic). I can have comparable level of security  when I logon to my Google account to when I connect to my corporate network (e.g. using VPN). At what cost?  not much or actually no cost at all, assuming I already have a smart device – iphone/android/etc..

The concept of MFA is not new. In the context of this blog, the concept is quite simple – with a security token associated to my account, someone may have a hard time guessing my password but even harder to steal my phone!

In my previous blog I have played with Custom Login module in the Portal to implement single-signon to the SAP NW Portal using a Facebook account (

This blog is a continuation of the concepts of the custom LoginModule. This time, demonstrating how to customise the SAP NW Portal logon to enable MFA.

Here are the components

1. Logon Page – this is a custom web application that is protected by Form login. The Logon page looks as follows. I’m not good at web design, so I have to give credits (end of this blog) to those clever folks who provides tutorials


2. Login Module – This custom login module does the verification of the security token / code based on the secret key that is associated to the user. The generation and assocation of secret key (which happens first) is explained next

And again I’m not an expert in TOTP algorithm and the Google Authenticator PAM module, so credits (bottom of this page) again to those very clever people

What basically hapens in the Login module is as follows

– checks username if it is valid

– with the username, determine the secret key for this user. I have done simple implementation by saving the secret key into a file and reading the key from it. An extra check is also implemented to see if the file is there (then MFA is active), if not then MFA is not active. In the latter case, login will proceed successfully (security code is skipped as with normal Basic authentication)

– with the secret key, verify if the code passed in the logon screen is valid

– return true in login() for successful logon

3.Logon redirect  – this is just redirect page to the portal (/irj/portal), and is part of the custom logon page in #1 above. This page is protected by the custom Login Module. The JAAS stack loos like the following.

EvaluateTicket – if the user is already logged in the Portal (has valid SSO token), then no need to prompt for logon

BasicPassword – does the form based user/pass check

GAuthLogin – checks the validity security token / code

CreateTicket – upon successful logon with user, pass, code combination, create SSO token


4. MFA registration and activation – HTML and JSP files to basically generate a secret key, show the QR code so Google Authentication app can store it, and the Portal to store the secret key to the file associated to the user



Secret key is saved to a file


Once active, then account is ready for MFA


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Andy Silvey
      Andy Silvey

      Hi Donald,

      this is a very nice blog, thank you.

      And a subject which is going to become more and more important.

      All the best,


      Author's profile photo Chris Paine
      Chris Paine


      I wrote an implementation of Google Authenticator for ABAP...

      but due to the issue around code exchange and sharing of ABAP code, didn't promote it much.

      hopefully with the changes to Code Exchange (it being shut down) I might get a chance to resurrect it.



      Author's profile photo Donka Dimitrova
      Donka Dimitrova

      SAP Authenticator already available !!!

      With the latest releases of the SAP Single Sign-On 2.0 product SAP offers two-factor authentication with Time-Based One-Time Password solution.

      SAP Authenticator is the passcode generator from SAP and it is available for iOS and Android platforms.

      SAP Authenticator offers also password protection. The password is defined during the installation of the application, it is used only for the encryption/decryption of the secret key, and it is not stored on the device. The password offers additional level of security, that is not available with the other similar OTP generator applications existing on the market.

      More information is available in this blog: Strong Two-Factor Authentication with One-Time Password Solution

      This solution could be used also for Mobile SSO. For more details, see Simple and Secure Mobile Single Sign-On with SAP Authenticator

      With the latest support package for SAP Single Sign-On 2.0 product we offer also risk based authentication solution, where the TOTP could be used for 2FA. More details you will be able to find in my blog: Risk-Based Authentication for Your Critical Business Processes

      Best Regards,

      Donka Dimitrova

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Awesome! It's nice to see SAP's stealing our ideas 😆

      Kidding aside, I knew its only about time for SAP to release such product

      Glad you mentioned it, I actually almost forgot about this blog I wrote more than a year ago!