Index: lams_central/conf/language/lams/ApplicationResources_en_AU.properties
===================================================================
diff -u -r51fb2a37254f24bb2a805d4ffd54482c779f43fa -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_central/conf/language/lams/ApplicationResources_en_AU.properties	(.../ApplicationResources_en_AU.properties)	(revision 51fb2a37254f24bb2a805d4ffd54482c779f43fa)
+++ lams_central/conf/language/lams/ApplicationResources_en_AU.properties	(.../ApplicationResources_en_AU.properties)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -1,9 +1,6 @@
 appName = lams_central 
 #language code: en 
-#locale code: AU 
-
-
- 
+#locale code: AU
 #=================== labels for LAMS Central =================# 
 
 label.username  =Username
@@ -672,4 +669,9 @@
 label.private.notifications.read.hint =Mark notification as read
 label.private.notifications.read.all.hint =Mark all notifications as read
 
+label.verification.code  =Verification code
+error.verification.code  =Sorry, entered verification code is incorrect. Please try again.
+label.your.new.shared.secret  =Your new shared secret: {0}
+label.2FA.shared.secret  =Two-factor authorization shared secret
+
 #======= End labels: Exported 439 labels for en AU =====
\ No newline at end of file
Index: lams_central/src/java/org/lamsfoundation/lams/web/IndexAction.java
===================================================================
diff -u -r5773f84ed608838de3521ecde87c52f3c72d478c -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_central/src/java/org/lamsfoundation/lams/web/IndexAction.java	(.../IndexAction.java)	(revision 5773f84ed608838de3521ecde87c52f3c72d478c)
+++ lams_central/src/java/org/lamsfoundation/lams/web/IndexAction.java	(.../IndexAction.java)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -53,40 +53,16 @@
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
 /**
- * @version
  *
- * <p>
- * <a href="IndexAction.java.html"><i>View Source</i></a>
- * </p>
- *
  * @author <a href="mailto:fyang@melcoe.mq.edu.au">Fei Yang</a>
- *
- * Created at 16:59:28 on 13/06/2006
  */
-/**
- * struts doclet
- *
- *
- *
- *
- *
- *
- *
- *
- *
- *
- *
- */
 public class IndexAction extends Action {
 
     private static final String PATH_PEDAGOGICAL_PLANNER = "pedagogical_planner";
     private static final String PATH_LAMS_CENTRAL = "lams-central.war";
 
     private static Logger log = Logger.getLogger(IndexAction.class);
     private static IUserManagementService userManagementService;
-    private static IExportToolContentService exportService;
-    private static IAuthoringService authoringService;
-    private static Configuration configurationService;
 
     @Override
     @SuppressWarnings("unchecked")
@@ -110,11 +86,14 @@
 
 	// check if user is flagged as needing to change their password
 	User loggedInUser = getUserManagementService().getUserByLogin(request.getRemoteUser());
-	if (loggedInUser.getChangePassword() != null) {
-	    if (loggedInUser.getChangePassword()) {
-		return mapping.findForward("password");
-	    }
+	if (loggedInUser.getChangePassword() != null && loggedInUser.getChangePassword()) {
+	    return mapping.findForward("password");
 	}
+	
+	// check if user needs to get his shared two-factor authorization secret
+	if (loggedInUser.isTwoFactorAuthenticationEnabled() && loggedInUser.getTwoFactorAuthenticationSecret() == null) {
+	    return mapping.findForward("twoFactorAuthentication");
+	}
 
 	User user = getUserManagementService().getUserByLogin(userDTO.getLogin());
 	request.setAttribute("portraitUuid", user.getPortraitUuid());
Index: lams_central/src/java/org/lamsfoundation/lams/web/PasswordAction.java
===================================================================
diff -u -r51fb2a37254f24bb2a805d4ffd54482c779f43fa -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_central/src/java/org/lamsfoundation/lams/web/PasswordAction.java	(.../PasswordAction.java)	(revision 51fb2a37254f24bb2a805d4ffd54482c779f43fa)
+++ lams_central/src/java/org/lamsfoundation/lams/web/PasswordAction.java	(.../PasswordAction.java)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -21,7 +21,6 @@
  * ****************************************************************
  */
 
-
 package org.lamsfoundation.lams.web;
 
 import javax.servlet.http.HttpServletRequest;
@@ -34,13 +33,6 @@
 
 /**
  * @author jliew
- *
- *
- *
- *
- *
- *
- *
  */
 public class PasswordAction extends Action {
 
Index: lams_central/src/java/org/lamsfoundation/lams/web/ProfileAction.java
===================================================================
diff -u -r5773f84ed608838de3521ecde87c52f3c72d478c -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_central/src/java/org/lamsfoundation/lams/web/ProfileAction.java	(.../ProfileAction.java)	(revision 5773f84ed608838de3521ecde87c52f3c72d478c)
+++ lams_central/src/java/org/lamsfoundation/lams/web/ProfileAction.java	(.../ProfileAction.java)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -66,24 +66,9 @@
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
 /**
- * @version
  *
- * <p>
- * <a href="ProfileAction.java.html"><i>View Source</i></a>
- * </p>
- *
  * @author <a href="mailto:fyang@melcoe.mq.edu.au">Fei Yang</a>
- *
- * Created at 14:21:53 on 28/06/2006
  */
-
-/**
- *
- *
- *
- *
- *
- */
 public class ProfileAction extends LamsDispatchAction {
 
     private static Logger log = Logger.getLogger(ProfileAction.class);
@@ -229,6 +214,9 @@
 	}
 	userForm.set("localeId", locale.getLocaleId());
 	request.setAttribute("locales", locales);
+	if (requestor.isTwoFactorAuthenticationEnabled()) {
+	    request.setAttribute("sharedSecret", requestor.getTwoFactorAuthenticationSecret());    
+	}
 	request.setAttribute("tab", "profile");
 
 	boolean hasLamsCommunityToken = requestor.getLamsCommunityToken() != null;
Index: lams_central/src/java/org/lamsfoundation/lams/web/action/TwoFactorAuthenticationAction.java
===================================================================
diff -u
--- lams_central/src/java/org/lamsfoundation/lams/web/action/TwoFactorAuthenticationAction.java	(revision 0)
+++ lams_central/src/java/org/lamsfoundation/lams/web/action/TwoFactorAuthenticationAction.java	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -0,0 +1,74 @@
+/****************************************************************
+ * Copyright (C) 2005 LAMS Foundation (http://lamsfoundation.org)
+ * =============================================================
+ * License Information: http://lamsfoundation.org/licensing/lams/2.0/
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2.0
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+ * USA
+ *
+ * http://www.gnu.org/licenses/gpl.txt
+ * ****************************************************************
+ */
+
+package org.lamsfoundation.lams.web.action;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.struts.action.Action;
+import org.apache.struts.action.ActionForm;
+import org.apache.struts.action.ActionForward;
+import org.apache.struts.action.ActionMapping;
+import org.lamsfoundation.lams.usermanagement.User;
+import org.lamsfoundation.lams.usermanagement.service.UserManagementService;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.context.support.WebApplicationContextUtils;
+
+import com.warrenstrange.googleauth.GoogleAuthenticator;
+import com.warrenstrange.googleauth.GoogleAuthenticatorKey;
+import com.warrenstrange.googleauth.GoogleAuthenticatorQRGenerator;
+
+/**
+ * @author Andrey Balan
+ */
+public class TwoFactorAuthenticationAction extends Action {
+
+    @Override
+    public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request,
+	    HttpServletResponse response) throws Exception {
+
+	WebApplicationContext ctx = WebApplicationContextUtils
+		.getWebApplicationContext(getServlet().getServletContext());
+	UserManagementService userManagementService = (UserManagementService) ctx.getBean("userManagementService");
+	
+	// check if user needs to get his shared two-factor authorization secret
+	User loggedInUser = userManagementService.getUserByLogin(request.getRemoteUser());
+	if (loggedInUser.isTwoFactorAuthenticationEnabled() && loggedInUser.getTwoFactorAuthenticationSecret() == null) {
+	    
+	    GoogleAuthenticator gAuth = new GoogleAuthenticator();
+	    final GoogleAuthenticatorKey key = gAuth.createCredentials();
+	    String sharedSecret = key.getKey();
+	    
+	    loggedInUser.setTwoFactorAuthenticationSecret(sharedSecret);
+	    userManagementService.save(loggedInUser);
+	    
+	    request.setAttribute("sharedSecret", sharedSecret);
+	    String QRCode = GoogleAuthenticatorQRGenerator.getOtpAuthURL(null, "LAMS account: " + loggedInUser.getLogin(), key);
+	    request.setAttribute("QRCode", QRCode);
+	}
+
+	request.setAttribute("tab", "profile");
+	return mapping.findForward("secret");
+    }
+}
Index: lams_central/web/WEB-INF/struts-config.xml
===================================================================
diff -u -r65efb0abb529cafc1977e284e2c9a4ed33722334 -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_central/web/WEB-INF/struts-config.xml	(.../struts-config.xml)	(revision 65efb0abb529cafc1977e284e2c9a4ed33722334)
+++ lams_central/web/WEB-INF/struts-config.xml	(.../struts-config.xml)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -149,6 +149,11 @@
         redirect="false"
       />
       <forward
+        name="twoFactorAuthentication"
+        path="/twoFactorAuthentication.do"
+        redirect="false"
+      />
+      <forward
         name="portrait"
         path="/portrait.do"
         redirect="false"
@@ -617,7 +622,21 @@
       validate="true"
     >
     </action>
+    
     <action
+      path="/twoFactorAuthentication"
+      type="org.lamsfoundation.lams.web.action.TwoFactorAuthenticationAction"
+      scope="request"
+      unknown="false"
+      validate="false"
+    >
+      <forward
+        name="secret"
+        path=".twoFactorAuthenticationSecret"
+        redirect="false"
+      />
+    </action>    
+    <action
       path="/passwordChanged"
       type="org.lamsfoundation.lams.web.PasswordChangeAction"
       name="PasswordChangeActionForm"
Index: lams_central/web/WEB-INF/tiles-defs.xml
===================================================================
diff -u -r9c83d6e84da12d1d753d9a0588ecd4a1b49de1f7 -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_central/web/WEB-INF/tiles-defs.xml	(.../tiles-defs.xml)	(revision 9c83d6e84da12d1d753d9a0588ecd4a1b49de1f7)
+++ lams_central/web/WEB-INF/tiles-defs.xml	(.../tiles-defs.xml)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -53,6 +53,10 @@
 	<definition name=".passwordChangeOk" path="/main.jsp">
 		<put name="profile" value="passwordChangeOkContent.jsp" />	
 	</definition>
+	
+	<definition name=".twoFactorAuthenticationSecret" path="/main.jsp">
+		<put name="profile" value="twoFactorAuthSecret.jsp"/>	
+	</definition>
 
 	<definition name=".error" path="/template.jsp">
 		<put name="titleKey" value="heading.general.error"/>
Index: lams_central/web/WEB-INF/web.xml
===================================================================
diff -u -rab7fcc93ccae4b3d2525a80b1613c42dd4bce12f -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_central/web/WEB-INF/web.xml	(.../web.xml)	(revision ab7fcc93ccae4b3d2525a80b1613c42dd4bce12f)
+++ lams_central/web/WEB-INF/web.xml	(.../web.xml)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -665,6 +665,7 @@
 			<url-pattern>/forgotPassword.jsp</url-pattern>
 			<url-pattern>/forgotPasswordChange.jsp</url-pattern>
 			<url-pattern>/forgotPasswordProc.jsp</url-pattern>
+			<url-pattern>/loginTwoFactorAuth.jsp</url-pattern>
 			<url-pattern>/signup/*</url-pattern>
 			<url-pattern>/rest/*</url-pattern>
 			<url-pattern>/runtimeStats</url-pattern>
Index: lams_central/web/editprofile.jsp
===================================================================
diff -u -r3dbf966d900adefc34cdad501d3c392118451cd9 -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_central/web/editprofile.jsp	(.../editprofile.jsp)	(revision 3dbf966d900adefc34cdad501d3c392118451cd9)
+++ lams_central/web/editprofile.jsp	(.../editprofile.jsp)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -157,6 +157,15 @@
 		</td>
 	</tr>
 	
+	<c:if test="${not empty sharedSecret}">
+		<tr>
+			<td class="align-right"><fmt:message key="label.2FA.shared.secret"/>:</td>
+			<td>
+				${sharedSecret}
+			</td>
+		</tr>
+	</c:if>	
+	
 	<c:if test="${not empty lamsCommunityToken}">
 		<tr>
 			<td class="align-right">
Index: lams_central/web/loginTwoFactorAuth.jsp
===================================================================
diff -u
--- lams_central/web/loginTwoFactorAuth.jsp	(revision 0)
+++ lams_central/web/loginTwoFactorAuth.jsp	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -0,0 +1,125 @@
+<%@page import="org.springframework.web.context.request.SessionScope"%>
+<%@ page language="java" pageEncoding="UTF-8" contentType="text/html;charset=utf-8"%>
+<%@ taglib uri="tags-fmt" prefix="fmt"%>
+<%@ taglib uri="tags-core" prefix="c"%>
+<%@ taglib uri="tags-lams" prefix="lams"%>
+<%@ page import="org.lamsfoundation.lams.util.Configuration"%>
+<%@ page import="org.lamsfoundation.lams.util.ConfigurationKeys"%>
+<%@ page import="org.lamsfoundation.lams.web.session.SessionManager"%>
+<%@ page import="org.lamsfoundation.lams.usermanagement.dto.UserDTO"%>
+
+<c:if test="${empty requestScope.login}">
+	<c:set var="login" value="${sessionScope.login}" />
+	<c:set var="password" value="${sessionScope.password}" />
+</c:if>
+
+<!DOCTYPE html>
+<lams:html>
+	<lams:head>
+		<title><fmt:message key="title.login.window" /></title>
+		<lams:css style="core" />
+		<link rel="icon" href="<lams:LAMSURL/>/favicon.ico" type="image/x-icon" />
+		<link rel="shortcut icon" href="<lams:LAMSURL/>/favicon.ico" type="image/x-icon" />
+		<script type="text/javascript" src="<lams:LAMSURL />includes/javascript/browser_detect.js"></script>
+		<script type="text/javascript" src="<lams:LAMSURL />includes/javascript/jquery.js"></script>
+		<script type="text/javascript">
+			function submitForm() {
+				$('#loginForm').submit();
+			}
+
+			function onEnter(event) {
+				intKeyCode = event.keyCode;
+				if (intKeyCode == 13) {
+					submitForm();
+				}
+			}
+
+			$(document).ready(function() {
+				$('#verificationCode').focus();
+			});
+		</script>
+	</lams:head>
+
+		<body class="stripes">
+			<div id="login-page">
+				<!--main box 'page'-->
+				<h1 class="no-tabs-below">&nbsp;</h1>
+
+				<div id="login-header"></div>
+				<!--closes header-->
+
+				<div id="login-content">
+				
+					<div id="login-left-col">
+						<h1>
+							<img src="<lams:LAMSURL/>/www/images/lams_login.gif" alt="LAMS - Learning Activity Management System" />
+						</h1>
+
+					</div>
+					<!--closes left col-->
+
+					<div id="login-right-col">
+						<p class="version">
+							<fmt:message key="msg.LAMS.version" />
+							<%=Configuration.get(ConfigurationKeys.VERSION)%>
+						</p>
+					
+						<h2>
+							<fmt:message key="button.login" />
+						</h2>
+						
+						<form action="/lams/j_security_check" method="POST" name="loginForm" id="loginForm">
+							<c:if test="${!empty param.failed}">
+								<div class="warning-login">
+									<fmt:message key="error.verification.code" />
+								</div>
+								
+							</c:if>
+							<input type="hidden" name="j_username" value="${login}" /> 
+							<input type="hidden" name="j_password" value="${password}" /> 
+							<input type="hidden" name="redirectURL" value='<c:out value="${param.redirectURL}" escapeXml="true" />' />
+
+							<p class="first">
+								<fmt:message key="label.verification.code" />
+								: <input id="verificationCode" name="verificationCode" type="text" size="16" style="width: 125px" tabindex="1"
+									onkeypress="onEnter(event)" />
+							</p>
+
+							<p class="login-button">
+								<a id="loginButton" href="javascript:submitForm()" class="button" tabindex="3" />
+									<fmt:message key="button.login" />
+								</a>
+							</p>
+						</form>
+					</div>
+					<!--closes right col-->
+
+					<div class="clear"></div>
+					<!-- forces the CSS to display the columns-->
+				</div>
+				<!--closes content-->
+
+			<div id="footer">
+				<p>
+					<fmt:message key="msg.LAMS.version" />
+					<%=Configuration.get(ConfigurationKeys.VERSION)%>
+					<a href="<lams:LAMSURL/>/www/copyright.jsp" target='copyright' onClick="openCopyRight()"> &copy; <fmt:message
+							key="msg.LAMS.copyright.short" />
+					</a>
+				</p>
+			</div>
+			<!--closes footer-->
+		</div>
+		<!--closes page-->
+			
+		<%
+			// remove login and password attributes from the session as they are no longer needed
+			HttpSession hs = SessionManager.getSession();
+			if (hs != null) {
+			    hs.removeAttribute("login");
+			    hs.removeAttribute("password");
+			}
+		%>
+	</body>
+
+</lams:html>
\ No newline at end of file
Index: lams_central/web/twoFactorAuthSecret.jsp
===================================================================
diff -u
--- lams_central/web/twoFactorAuthSecret.jsp	(revision 0)
+++ lams_central/web/twoFactorAuthSecret.jsp	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -0,0 +1,14 @@
+<%@ taglib uri="tags-fmt" prefix="fmt" %>
+
+<p class=body>
+	<fmt:message key="label.your.new.shared.secret">
+		<fmt:param>${sharedSecret}</fmt:param>
+	</fmt:message>
+</p>
+<p>
+	<img alt="" src="${QRCode}">
+</p>
+<p class=body>	
+	<input type="submit" class="button" value="Ok"
+		onClick="javascript:document.location='index.do?state=active&tab=profile';" />
+</p>
Index: lams_common/conf/hibernate/mappings/org/lamsfoundation/lams/usermanagement/User.hbm.xml
===================================================================
diff -u -rc3c499fa8b7a5487229a59411af3710fa878b93c -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_common/conf/hibernate/mappings/org/lamsfoundation/lams/usermanagement/User.hbm.xml	(.../User.hbm.xml)	(revision c3c499fa8b7a5487229a59411af3710fa878b93c)
+++ lams_common/conf/hibernate/mappings/org/lamsfoundation/lams/usermanagement/User.hbm.xml	(.../User.hbm.xml)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -58,6 +58,24 @@
 				not-null="false"
 			</meta>
 		</property>
+		<property name="twoFactorAuthenticationEnabled" type="java.lang.Boolean"
+			column="two_factor_auth_enabled" not-null="true" length="1">
+			<meta attribute="field-description">
+				@hibernate.property
+				column="two_factor_auth_enabled"
+				length="1"
+				not-null="true"
+			</meta>
+		</property>
+		<property name="twoFactorAuthenticationSecret" type="java.lang.String" column="two_factor_auth_secret"
+			not-null="true" length="64">
+			<meta attribute="field-description">
+				@hibernate.property
+				column="two_factor_auth_secret"
+				length="64"
+				not-null="true"
+			</meta>
+		</property>
 		<property name="title" type="java.lang.String" column="title"
 			length="32">
 			<meta attribute="field-description">
Index: lams_common/src/java/org/lamsfoundation/lams/dbupdates/patch2040067.sql
===================================================================
diff -u
--- lams_common/src/java/org/lamsfoundation/lams/dbupdates/patch2040067.sql	(revision 0)
+++ lams_common/src/java/org/lamsfoundation/lams/dbupdates/patch2040067.sql	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -0,0 +1,13 @@
+-- Turn off autocommit, so nothing is committed if there is an error
+
+SET AUTOCOMMIT = 0;
+SET FOREIGN_KEY_CHECKS=0;
+
+-- LDEV-3965 Ability to enable two-factor authentication for selected users
+ALTER TABLE lams_user ADD COLUMN two_factor_auth_enabled TINYINT(1) DEFAULT 0 AFTER salt;
+ALTER TABLE lams_user ADD COLUMN two_factor_auth_secret CHAR(64) AFTER two_factor_auth_enabled;
+
+-- If there were no errors, commit and restore autocommit to on
+SET FOREIGN_KEY_CHECKS=0;
+COMMIT;
+SET AUTOCOMMIT = 1;
Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32 -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision ac1774a2e7f4b8ce9b79e6447b1b4748f719bc32)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -25,9 +25,11 @@
 import javax.servlet.ServletContext;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang.math.NumberUtils;
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
@@ -37,6 +39,8 @@
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
+import com.warrenstrange.googleauth.GoogleAuthenticator;
+
 import io.undertow.Handlers;
 import io.undertow.server.session.Session;
 import io.undertow.servlet.ServletExtension;
@@ -96,6 +100,35 @@
 		    User user = getUserManagementService(session.getServletContext()).getUserByLogin(login);
 		    if (user != null) {
 			userDTO = user.getUserDTO();
+			
+			// if user is not yet authorized and has 2FA shared secret set up - redirect him to
+			// loginTwoFactorAuth.jsp to prompt user to enter his verification code (Time-based One-time Password)
+			if (request.getRemoteUser() == null && user.isTwoFactorAuthenticationEnabled()
+				&& user.getTwoFactorAuthenticationSecret() != null) {
+			    String verificationCodeStr = request.getParameter("verificationCode");		    
+			    int verificationCode = NumberUtils.toInt(verificationCodeStr);
+			    GoogleAuthenticator gAuth = new GoogleAuthenticator();
+			    boolean isCodeValid = gAuth.authorize(user.getTwoFactorAuthenticationSecret(),
+				    verificationCode);
+
+			    //user entered correct TOTP password
+			    if (isCodeValid) {
+				//do nothing and let regular login to happen
+				
+			    //user hasn't yet entered TOTP password (request came from login.jsp) or entered the wrong one
+			    } else {
+				session.setAttribute("login", login);
+				String password = request.getParameter("j_password");
+				session.setAttribute("password", password);
+				
+				//verificationCodeStr equals null in case request came from login.jsp
+				String redirectUrl = "/lams/loginTwoFactorAuth.jsp" + ((verificationCodeStr == null) ? "" : "?failed=true" );
+				HttpServletResponse response = (HttpServletResponse) context.getServletResponse();
+				response.sendRedirect(redirectUrl);
+				return;
+			    }
+			    
+			}
 		    }
 		}
 
Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/User.java
===================================================================
diff -u -r51fb2a37254f24bb2a805d4ffd54482c779f43fa -r9eaeb8328024c0c652dd7d17372dc4caf3a5852c
--- lams_common/src/java/org/lamsfoundation/lams/usermanagement/User.java	(.../User.java)	(revision 51fb2a37254f24bb2a805d4ffd54482c779f43fa)
+++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/User.java	(.../User.java)	(revision 9eaeb8328024c0c652dd7d17372dc4caf3a5852c)
@@ -53,6 +53,10 @@
      * persistent field
      */
     private String password;
+    
+    private Boolean twoFactorAuthenticationEnabled;
+    
+    private String twoFactorAuthenticationSecret;
 
     /**
      * persistent field
@@ -172,6 +176,7 @@
     /** default constructor */
     public User() {
 	changePassword = false;
+	twoFactorAuthenticationEnabled = false;
     }
 
     public Integer getUserId() {
@@ -205,7 +210,23 @@
     public void setSalt(String salt) {
 	this.salt = salt;
     }
+    
+    public Boolean isTwoFactorAuthenticationEnabled() {
+	return twoFactorAuthenticationEnabled;
+    }
 
+    public void setTwoFactorAuthenticationEnabled(Boolean twoFactorAuthenticationEnabled) {
+	this.twoFactorAuthenticationEnabled = twoFactorAuthenticationEnabled;
+    }
+    
+    public String getTwoFactorAuthenticationSecret() {
+	return twoFactorAuthenticationSecret;
+    }
+
+    public void setTwoFactorAuthenticationSecret(String twoFactorAuthenticationSecret) {
+	this.twoFactorAuthenticationSecret = twoFactorAuthenticationSecret;
+    }
+
     public String getTitle() {
 	return title;
     }