Hello,
For the HR sensitive pages you need to define Portal authscheme with higher priority in order to trigger re-authentication. For details check the documentation: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/90/52c43dac1bcf51e10000000a114084/content.htm.
This new authscheme should point to an authentication stack which handles the two-factor authentication. Unfortunately it won't be sufficient to just configure SPNegoLoginModule and BasicPasswordLoginModule with flags REQUISITE there. You would need to use the login modules from SAP Single Sign-On product:
- RBALoginModule: if you would like the second factor to be password: http://help.sap.com/saphelp_nwsso20/helpdata/en/24/c51d3d04e94cff82268591decee781/content.htm
- TOTPLoginModule: if you would like the second factor to be passcode (one-time password): http://help.sap.com/saphelp_nwsso20/helpdata/en/ee/e29cdc72d241639b5f40c679af5cec/content.htmhttp://help.sap.com/saphelp_nwsso20/helpdata/en/ee/e29cdc72d241639b5f40c679af5cec/content.htm
Please note that using SPNEGO + password is not real two-factor authentication because you can obtain an SPNEGO token knowing the password. Thus the recommendation is to use one-time password (passcode) as second factor. SAP SSO product supports differect types of passcodes: time-based generated by a mobile device, random passcodes sent via SMS or Email, external passcodes (RSA SecurID and others). If you would need further details just let me know.
Regards,
Dimitar