I am working on an ASP.Net Mvc 3 application using FormsAuthentication
with a custom MembershipProvider
(so I do have some control over what the provider returns).
The requirements mandate a 2-step authentication process (username and password followed by secret question). A user should not be able to access any of the "secure" sections of the site without passing both steps. Please don't mention whether this is multi-factor security or not, I already know.
Please provide a recommendation on how to best accomplish this task.
Here are some considerations:
[Authorize]
ActionFilter
for Controllers providing secure content.www.contoso.com/login/
. In my attempts at least, this has caused some minor-but-not-insignificant issues when users enter an incorrect answer in the second step (they are not officially logged in, but I need to ensure that I am still working against the half-authenticated user's secret question/answer).Thanks.
Use a custom View Model in conjunction with hidden form fields. Just make sure it's all done over https.
ViewModel
public LoginForm
{
public string UserName { get; set; }
public string Password { get; set; }
public int SecretQuestionId { get; set; }
public string SecretQuestion { get; set; }
public string SecretQuestionAnswer { get; set; }
}
Action Methods
public ActionResult Login()
{
var form = new LoginForm();
return View(form);
}
[HttpPost]
public ActionResult Login(LoginForm form)
{
if (form.SecretQuestionId == 0)
{
//This means that they've posted the first half - Username and Password
var user = AccountRepository.GetUser(form.UserName, form.Password);
if (user != null)
{
//Get a new secret question
var secretQuestion = AccountRepository.GetRandomSecretQuestion(user.Id);
form.SecretQuestionId = secretQuestion.Id;
form.SecretQuestion = secretQuestion.QuestionText;
}
}
else
{
//This means that they've posted from the second half - Secret Question
//Re-authenticate with the hidden field values
var user = AccountRepository.GetUser(form.UserName, form.Password);
if (user != null)
{
if (AccountService.CheckSecretQuestion(form.SecretQuestionId, form.SecretQuestionAnswer))
{
//This means they should be authenticated and logged in
//Do a redirect here (after logging them in)
}
}
}
return View(form);
}
View
<form>
@if (Model.SecretQuestionId == 0) {
//Display input for @Model.UserName
//Display input for @Model.Password
}
else {
//Display hidden input for @Model.UserName
//Display hidden input for @Model.Password
//Display hidden input for @Model.SecretQuestionId
//Display @Model.SecretQuestion as text
//Display input for @Model.SecretQuestionAnswer
}
</form>
If you're not happy with sending the username and password back to the view in hidden fields to re-authenticate and make sure they're not cheating... you could create a HMAC or something like that to test.
Btw, this question seems like a few questions rolled into one... so just answered how to do 2-step authentication with one view / action method.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With