2-Step Authentication in ASP.Net MVC

Question

I am working on an ASP.Net Mvc 3 application using FormsAuthentication with a custom MembershipProvider (so I do have some control over what the provider returns).

The requirements mandate a 2-step authentication process (username and password followed by secret question). A user should not be able to access any of the "secure" sections of the site without passing both steps. Please don't mention whether this is multi-factor security or not, I already know.

Please provide a recommendation on how to best accomplish this task.

Here are some considerations:

• I am allowed (architecturally) to use session - would prefer not to.
• I would prefer to use the out-of the box [Authorize] ActionFilter for Controllers providing secure content.
• The people in charge would like for the url for the 2 steps to be the same: i.e. www.contoso.com/login/. In my attempts at least, this has caused some minor-but-not-insignificant issues when users enter an incorrect answer in the second step (they are not officially logged in, but I need to ensure that I am still working against the half-authenticated user's secret question/answer).

Thanks.

Answer 1

Use a custom View Model in conjunction with hidden form fields. Just make sure it's all done over https.

ViewModel

public LoginForm
{
    public string UserName { get; set; }
    public string Password { get; set; }

    public int SecretQuestionId { get; set; }
    public string SecretQuestion { get; set; }
    public string SecretQuestionAnswer { get; set; }
}

Action Methods

public ActionResult Login()
{
    var form = new LoginForm();
    return View(form);
}

[HttpPost]
public ActionResult Login(LoginForm form)
{
    if (form.SecretQuestionId == 0)
    {
        //This means that they've posted the first half - Username and Password
        var user = AccountRepository.GetUser(form.UserName, form.Password);
        if (user != null)
        {
            //Get a new secret question
            var secretQuestion = AccountRepository.GetRandomSecretQuestion(user.Id);
            form.SecretQuestionId = secretQuestion.Id;
            form.SecretQuestion = secretQuestion.QuestionText;
        }
    }
    else
    {
        //This means that they've posted from the second half - Secret Question
        //Re-authenticate with the hidden field values
        var user = AccountRepository.GetUser(form.UserName, form.Password);
        if (user != null)
        {
            if (AccountService.CheckSecretQuestion(form.SecretQuestionId, form.SecretQuestionAnswer))
            {
                //This means they should be authenticated and logged in
                //Do a redirect here (after logging them in)
            }
        }
    }

    return View(form);
} 

View

<form>
    @if (Model.SecretQuestionId == 0) {
        //Display input for @Model.UserName
        //Display input for @Model.Password
    }
    else {
        //Display hidden input for @Model.UserName
        //Display hidden input for @Model.Password
        //Display hidden input for @Model.SecretQuestionId
        //Display @Model.SecretQuestion as text
        //Display input for @Model.SecretQuestionAnswer
    }
</form>

If you're not happy with sending the username and password back to the view in hidden fields to re-authenticate and make sure they're not cheating... you could create a HMAC or something like that to test.

Btw, this question seems like a few questions rolled into one... so just answered how to do 2-step authentication with one view / action method.