Enable Multifactor Authentication(MFA) on ASP.NET MVC

Multi-Factor Authentication (MFA) or sometime called as Two factor authentication is a simple best practice that adds an extra layer of protection on top of your user name and password. Wikipedia says “Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism”. You should use MFA whenever possible, especially when it comes to your most sensitive data—like your primary email, your financial accounts, personal details etc.

As per the author James Michael Stewart from Global Knowledge, there are three types of Multi-Factor Authentication:

Type 1 – Something You Know – includes passwords, PINs, combinations, code words, or secret handshakes. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.

Type 2 – Something You Have – includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices. (A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.).

Type 3 – Something You Are – includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.

In this article, we demonstrate how to implement MFA on your ASP.NET MVC application using Google Authenticator.

1. Create new ASP.NET MVC application
2. Go to Manage NuGet package window and install “GoogleAuthenticator” package by Brandon Potter.
3. Once you installed, the corresponding reference is added on your application.
4. On your Login Controller create a private variable called “Key”. Also do not forget to add the reference of Google.Authenticator on your code file.

private const string Key = ” 2391a4518d30c8c565257bfba097b4a7“;

1. On your Login method, please put the below piece of code

var setupInfo = new TwoFactorAuthenticator().GenerateSetupCode(“YourapplicationName”, “short description of your application”, Key, 300, 300);//the width and height of the Qr Code;
string qrCodeImageUrl = setupInfo.QrCodeSetupImageUrl; // assigning the Qr code information + URL to string
string manualEntrySetupCode = setupInfo.ManualEntryKey; // show the Manual Entry Key for the users that don’t have app or phone
ViewBag.BarcodeImageUrl = qrCodeImageUrl; // showing the qr code on the page “linking the string to image element”
ViewBag.SetupCode = setupInfo.ManualEntryKey;// showing the manual Entry setup code for the users that can not use their phone

In the first step, we are creating an object of TwoFactorAuthenticator class and calling its GenerateSetupCode method. This method belongs to TwoFactorAuthenticator class and accepts applicationName, small description, key, width and height of QR Code image & returns the object of SetupCode class which is having the details of Account, AccountSecretKey, ManualEntryKey & QRCodeSetupImageUrl. We can use the QRCodeSetupImageUrl property to display the QR Code image on the screen.

To validate, please download GoogleAuthenticator app on your smartphone & scan the QRCode image which we have received and displayed on the screen. As soon as you scan the image from GoogleAuthenticator app, it will shows a 6 digit random number which again you need to pass to TwoFactorAuthentiacator class for verification. You can use below piece of code to achieve this.

var token = Request[“passcode”]; //6 digit code generated by GoogleAuthenticator app
var authenticator = new TwoFactorAuthenticator();
var isValid = authenticator.ValidateTwoFactorPIN(Key, token);
if (isValid)
{
return RedirectToAction(“UserProfile”, “Home”); //Authentication successful
}
return RedirectToAction(“Login”, “Home”); //Authentication failed

Run the application. Login and then use your Google Authenticator phone app to scan  QR Code shown in your web app.

Go back to the web app and type the 6 digit token from your Google Authenticator app

Note: Google Authenticator is a software-based authenticator that implements two-step verification services using the Time-based One-time Password Algorithm and HMAC-based One-time Password algorithm, for authenticating users of mobile applications by Google.