Aspnetcore.docs: Documentation for two factor (2FA) TOTP support
_From @skyflyer on June 27, 2018 9:59_
ASP.NET Identity 2.x includes support for two factor TOTP authentication using an authenticator on the smartphone. I couldn't find it documented anywhere. All I could find is configuring two factor auth with SMS Code, even though the docs specifically refer to TOTP as more appropriate:
From docs:
Two factor authentication (2FA) authenticator apps, using a Time-based One-time Password Algorithm (TOTP), are the industry recommended approach for 2FA. 2FA using TOTP is preferred to SMS 2FA.
Since TOTP does not need to be configured separately and is included by default in identity razor class library, it is not a big issue, but I suppose it would make sense to document that:
- it is enabled by default
- how to disable it
_Copied from original issue: aspnet/Identity#1850_
blowdart
All 14 comments
@blowdart how do we disable two factor TOTP authentication?
Rick-Anderson
on 27 Jun 2018
@HaoK is there an easy option somewhere? I'll be damned if I can't find it.
blowdart
on 27 Jun 2018
You mean entirely for the app, or how does a user disable it for themselves?
HaoK
on 27 Jun 2018
@HaoK both would be nice. Many sites have an opt-in policy for 2FA.
Rick-Anderson
on 28 Jun 2018
@HaoK both would be nice. Many sites have an opt-in policy for 2FA.
Rick-Anderson
on 31 Jul 2018
@HaoK both would be nice. Many sites have an opt-in policy for 2FA.
Rick-Anderson
on 27 Sep 2018
@HaoK both would be nice. Many sites have an opt-in policy for 2FA.
Rick-Anderson
on 24 Jan 2019
The authenticator token provider is added as part of 'AddDefaultTokenProviders' so skipping that call will prevent it from being enabled for the app.
There's a general flag per user for whether tfa is enabled, if they want even further granularity to just disable the authenticator for this user, that would be something the app needs to add, perhaps as a new field in their user data
HaoK
on 24 Jan 2019
HaoK
on 24 Jan 2019
@HaoK AddDefaultTokenProviders is never called by the templates. AddDefaultTokenProviders is called by AddDefaultIdentity
Can you give me the code to replace the template generated code:
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection")));
services.AddDefaultIdentity<IdentityUser>()
.AddDefaultUI(UIFramework.Bootstrap4)
.AddEntityFrameworkStores<ApplicationDbContext>();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
Instead of AddDefaultIdentity()
services.AddAuthentication(o =>
{
o.DefaultScheme = IdentityConstants.ApplicationScheme;
o.DefaultSignInScheme = IdentityConstants.ExternalScheme;
})
.AddIdentityCookies(o => { });
return services.AddIdentityCore<TUser>(o =>
{
o.Stores.MaxLengthForKeys = 128;
configureOptions?.Invoke(o);
})
.AddDefaultUI()
And there would be no token providers registered, so they would have to add any they want explicity, i.e. the authenticator would be .AddTokenProvider<AuthenticatorTokenProvider<IdentityUser>>(TokenOptions.DefaultAuthenticatorProvider)
HaoK
on 25 Mar 2020
Let me know if there's anything else you need from me on this one @Rick-Anderson
HaoK
on 25 Apr 2020
cc @serpent5 if you're interested.
Rick-Anderson
on 25 Apr 2020
Yup, I can do this one.
serpent5
on 27 Apr 2020
Related issues
Mattacks
路
3Comments
AnthonyMastrean
路
3Comments
nenmyx
路
3Comments
Rick-Anderson
路
3Comments
davisnw
路
3Comments
Most helpful comment
@HaoK is there an easy option somewhere? I'll be damned if I can't find it.