Securing Alma access by two factor authentication (2FA) in combination with time-based one-time passwords (TOTP)
2FA and TOTP are common and standard methods for securing access to IT systems. These concepts should be implemented in order to secure access to Alma also. A respective implementation should replace the multi-factor authentication currently implemented in Alma since it lacks security for at least the following reasons:
- Sending a link by email is insecure since email hardly can be viewed as a secure transport medium.
- Using email for transferring a second factor hardly allows to keep the second factor as being independent from the device on which Alma access takes place.
- The link which is used as second factor for Alma authentication works independent from the password authenticated session and therefore can be used on any device anywhere in the world to gain access to Alma (within one hour).

-
Norbert Gövert commented
Meanwhile Ex Libris acknowledged the weaknesses of the current implementation and promised fixes for the May 2025 release. However that just will be bug fixing. Standard approaches to 2FA like TOTP, or alternative standard authentication approaches like FIDO2 / Webauthn would be a gain in terms of security as well as in terms of usability. Therefore this Idea still demands further attention.
-
Dennis Müller commented
Thanks for bringing this to our attention. At leat I wasn't aware that the current implementation was so poor. It seems to me this could and should be fixed timely using the mentioned tried and tested standards available.
-
Katherine O'Brien commented
Thank you for looking at this in such detail. I'm particularly concerned about the last point:
"The link which is used as second factor for Alma authentication works independent from the password authenticated session and therefore can be used on any device anywhere in the world to gain access to Alma (within one hour)."Can anyone from Ex Libris provide clarity on whether this is the intended behaviour?
-
Patricia Farnan commented
Next time I have some votes I will add some here! We definitely support this as need to be able to use internal accounts for Sandbox but don't find it secure enough.
-
Frank Lützenkirchen commented
FIDO2 and WebAuthn should also be considered to secure administrative login to Alma. This would allow us to use hardware tokens for 2FA.