We recently had a requirement to add 2 Factor Authentication support for a demo, so I am pleased to share our implementation with the community.

Login

On login the user sees a new 'Authenticator Code' field below Password:

The user populates their credentials, launches Google Authenticator app (or other 2FA app) on their phone and gets their code:

The user enters it on screen, clicks Sign In and hey presto, they have logged in with 2FA.

User setup

QR Codes are used to share the profile details with the end user:

These are shared with the end user by email, and for convenience  (e.g. for Demos & testing) the QR Code is available through the Liferay profile screens (on the Password tab):

Rollout

To simplify rollout:

• QR Codes used to configure the 2FA app. (Alternatively the user can manually configure the 2FA app.)
• Users created after the full set of application modules are deployed will automatically be assigned a Secret Key on account creation and will be emailed a link to the QR Code.
• There is an optional activator bundle that will generate Secret Keys and email QR Codes to all users.
• Administrators can bypass 2FA and a custom User Group can be created to allow certain users to bypass 2FA if required.

Source & Documentation

The source is available here: https://github.com/michael-wall/liferay-2fa including a readme with deployment steps and more information on configuration, limitations (e.g. storing Secret Keys in plain text) etc.