Aspnetcore.docs: ISmsSender not defined anywhere - Doesn't explain how to register it with the UserManager for sending

I'll address this in the next sprint.

Thanks! In the mean time, where does ISmsSender live? I can't find ANYTHING about it anywhere. Yours is literally the only documentation I can find for 2fa in .NET core 2.1.

Keep in mind we recommend you not use 2FA but rather QR code

ISmsSender is an interface the 2.0 templates generate. It's not in any MS library.

public interface ISmsSender
{
    Task SendSmsAsync(string number, string message);
}

OK, well my question still isn't answered given that I don't want to be using QR codes. How does one register ISmsSender with the SignInManager so it knows how to send the message?

@JohnGalt1717 Step through the template generated code to see how it works (and the sample).

Thanks for contacting us.
We don’t have the resources to invest in this area, so we are closing the issue. Should your request generate enough 👍 responses, we’ll reconsider.

At the very least fix the documentation so that it's obvious that this isn't an interface that's included and define the interface so people know what the heck is going on.

@JohnGalt1717, I agree with you 100%. Got the same problem too

Hey, any progress on that ISmsSender? How to inject this to UserManager?

@Bassist067 There isn't any such thing. The documentation needs to be fixed to note this and give an example of what ISmsSender should look like and then note that you need to use a 3rd party implementation.

Surely SMS should have some priority

SMS is not secure, that's why we recommend QR code

cheers Rick, so it's not secure if the attacker can get hold of the persons device OR is the vulnerability not dependent on that?

SMS is susceptible to SIM Swap attacks

Hi Rick, I'm looking to use 2FA for our customers because we receive their email and phone number from a reliable source (their Mortgage Lender) and although that doesn't mitigate the SIM swap attack vector it does provide us with a convenient way to ensure 2FA is turned on by default. If we can have additional security by default then this raises the bar on security without compromising usability. I would prefer to use time based one time passwords however getting our users to download an additional application to do this does not align with a friction free onboarding path for our users and would require that we don't have 2FA enabled by default.

I guess all I'm really hoping is that you let us know if this is something that is likely to ever see the light of day or is it something that you think will fall out of favour completely and ever be developed/completed as we will have to make alternate plans.

@gavinkilbride you're still free to use SMS/2FA and like you say it's pretty simple.

@Rick-Anderson so you're saying I can implement a custom 2fa provider in order to achieve SMS 2FA in Microsoft.AspNetCore.Identity 3?

How do I implement / wire that up? I can't find this anywhere?

Cheers

@blowdart what's our guidance for SMS 2FA for ASP.NET Core 3.0. @gavinkilbride makes what seems to me a reasonable argument for it (Friction free 2FA).

Out guidance is the same as NIST, no-one should be doing this any more. The previous approach in 2.0 should work, but we're not going to document it.

Hello, I have been all over the internet trying to implement this SMS 2FA thing, similar to the other requests, I do not want to introduce extra complication on the user part, so QR code is not an option, PLEASE, any information that would guide me on how to implement this would be greatly appreciated. Thanks

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/2fa?view=aspnetcore-1.1 shows how to do it. Generate a 1.1 project and copy the code to a 3.1 project.

password are also insecure and vulnerable to all kinds of attacks but they are still used everywhere. a combination of password and SMS would be a step up from password alone. The QR code cant be a serious suggestion. Ive just checked on live.com and im able to setup sms 2 step auth on my microsoft account. It also let me recover my account with my email address, which is so much worse than sms. In this industry its accepted that no single auth method is perfect

"This tutorial shows how to set up two-factor authentication (2FA) using SMS." Please remove this sentence. After creating a ASPSMS Account, asking for a test credits at ASPSMS , installing ASPSMS Package, modifing my code, I'm google for "ISmsSender", to read this issue...
Please supersede "This tutorial shows how to set up two-factor authentication (2FA) using SMS." with " Two-factor authentication (2FA) using SMS is not supported in Core 3.1". Many thanks!

@KarliHuber you're free to use the 1.x and 2.x generated code for SMS..

Hi guys. I really believe this needs to be addressed. Spent so long puzzling why I could not find this declaration anywhere. At the very least amend the documentation or provide the interface in Microsoft.AspNetCore.Identity.UI.Services. Should be super easy to do with such a lightweight interface?