I finally solved my problem on my own, but I'm of course always open to other suggestions.
I implemented my own 2 - Factor Authentication Flow:
First of all I changed the URL of the login page, to which Shiro redirects an unauthenticated user to my own login page, that leads into the authentication mechanism. A user needs to complete two "stages" to login.
- On the first stage he/she has to provide a username and password, if these are valid, the user is redirected to the second stage of login.
- Meanwhile, a one time token has been generated and sent to the user via SMS. Also the user's authentication progress has been saved in the session (which means I remember, that stage 1 was completed successfully).
- On stage 2 the user needs to enter the token. If the
token was
- not valid or the number of attempts (5) was exceeded
- expired (after 5 minutes) the number of attempts to correctly enter the token exceeded 4 the user will be redirected to Stage 1 and all progress will be deleted. I
- if everything went fine, the user will be authenticated to Shiro (of course without letting him/her know)
In the end the user will be redirected to the page he/she originally requested, which still allows him/her to bookmark pages. Of course Shiro's remember-me will always be deactivated.