diff --git a/TODO-2.0.md b/TODO-2.0.md
index ad0e6fc73..e7d5ed315 100644
--- a/TODO-2.0.md
+++ b/TODO-2.0.md
@@ -1,3 +1,5 @@
+* GrantSession plugin
+* Test ForceAuth
 * Calendar in notifications explorer
 * login history
 * Test for Zero
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/U2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/U2F.pm
new file mode 100644
index 000000000..7485556b6
--- /dev/null
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/U2F.pm
@@ -0,0 +1,43 @@
+package Lemonldap::NG::Portal::Lib::U2F;
+
+use strict;
+use Mouse;
+
+our $VERSION = '2.0.0';
+
+extends 'Lemonldap::NG::Portal::Main::Plugin';
+
+has crypter => ( is => 'rw' );
+
+has origin => (
+    is      => 'rw',
+    default => sub {
+        my $p = $_[0]->{conf}->{portal};
+        $p =~ s#^(https?://[^/]+).*$#$1#;
+        return $p;
+    }
+);
+
+sub init {
+    my ($self) = @_;
+    eval 'use Crypt::U2F::Server::Simple';
+    if ($@) {
+        $self->error("Can't load U2F library: $@");
+        return 0;
+    }
+    unless (
+        $self->crypter(
+            Crypt::U2F::Server::Simple->new(
+                appId  => $self->origin,
+                origin => $self->origin,
+            )
+        )
+      )
+    {
+        $self->error( Crypt::U2F::Server::Simple::lastError() );
+        return 0;
+    }
+    return 1;
+}
+
+1;
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
index 2cabf5dc2..9d30edf3e 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@@ -345,6 +345,7 @@ sub updatePersistentSession {
 
     $uid ||= $req->{sessionInfo}->{ $self->conf->{whatToTrace} };
     return () unless ($uid);
+    $self->lmLog("Update $uid persistent session", 'debug');
 
     my $persistentSession = $self->getPersistentSession($uid);
 
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/U2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/U2F.pm
index b51c041f0..eec8f0169 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/U2F.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/U2F.pm
@@ -1,3 +1,7 @@
+# U2F second factor authentication
+#
+# This plugin handle authentications to ask U2F second factor for users that
+# have registered their U2F key
 package Lemonldap::NG::Portal::Plugins::U2F;
 
 use strict;
@@ -5,10 +9,35 @@ use Mouse;
 
 our $VERSION = '2.0.0';
 
-extends 'Lemonldap::NG::Portal::Main::Plugin';
+extends 'Lemonldap::NG::Portal::Lib::U2F';
+
+# INTERFACE
+
+sub afterDatas { 'run' }
+
+# INITIALIZATION
+
+has ott => (
+    is      => 'rw',
+    default => sub {
+        my $ott =
+          $_[0]->{p}->loadModule('Lemonldap::NG::Portal::Lib::OneTimeToken');
+        $ott->timeout( $_[0]->conf->{formTimeout} );
+        return $ott;
+    }
+);
 
 sub init {
+    my ($self) = @_;
+    return 0 unless $self->SUPER::init;
     1;
 }
 
+# RUNNING METHODS
+
+# Main method
+sub run {
+    my($self,$req) = @_;
+}
+
 1;
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Register/U2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Register/U2F.pm
index 95aaa50f4..ca8a254cb 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Register/U2F.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Register/U2F.pm
@@ -1,46 +1,26 @@
+# Self U2F registration
 package Lemonldap::NG::Portal::Register::U2F;
 
 use strict;
 use Mouse;
+use MIME::Base64;
 
 our $VERSION = '2.0.0';
 
-extends 'Lemonldap::NG::Portal::Main::Plugin';
+extends 'Lemonldap::NG::Portal::Lib::U2F';
 
-has crypter => ( is => 'rw' );
-
-has origin => (
-    is      => 'rw',
-    default => sub {
-        my $p = $_[0]->{conf}->{portal};
-        $p =~ s#^(https?://[^/]+).*$#$1#;
-        return $p;
-    }
-);
+# INITIALIZATION
 
 sub init {
     my ($self) = @_;
-    eval 'use Crypt::U2F::Server::Simple';
-    if ($@) {
-        $self->error("Can't load U2F library: $@");
-        return 0;
-    }
-    unless (
-        $self->crypter(
-            Crypt::U2F::Server::Simple->new(
-                appId  => $self->origin,
-                origin => $self->origin,
-            )
-        )
-      )
-    {
-        $self->error( Crypt::U2F::Server::Simple::lastError() );
-        return 0;
-    }
+    return 0 unless $self->SUPER::init;
     $self->addAuthRoute( u2fregister => 'run', [ 'GET', 'POST' ] );
     return 1;
 }
 
+# RUNNING METHODS
+
+# Main method
 sub run {
     my ( $self, $req ) = @_;
 
@@ -50,8 +30,13 @@ sub run {
         my ( $keyHandle, $userKey ) =
           $self->crypter->registrationVerify($response);
         if ( $keyHandle and $userKey ) {
-            $self->p->updatePersistentSession( $req,
-                { _u2fHandle => $keyHandle, _u2fKey => $userKey } );
+            $self->p->updatePersistentSession(
+                $req,
+                {
+                    _u2fHandle => encode_base64( $keyHandle, '' ),
+                    _u2fKey    => encode_base64( $userKey,   '' )
+                }
+            );
             return $self->p->sendHtml( $req, 'u2fregister',
                 params => { SUCCESS => 1 } );
         }