Add hashed security columns to ASP.NET Identity (MVC 5)

Question

We are using Identity Framework 2.1.0 and plan to add Security Question and Answer to User Registration Page. We will have a separate table for Questions and would like to add 2 more columns to AspNetUsers

1. SecurityQuestionId
2. SecurityAnswer

I want to keep the 'SecurityAnswer' column hashed, since we already have a SecurityStamp Column in this table, can we use this for Hashing and de-hashing?

If Yes, How? If No, What are the alternatives?

Your help is much appreciated, any reference, pointer is appreciated.

Answer 1

To hash your security answer, you can use UserManager.PasswordHasher:

var manager = // get instance of UserManager

var hashedAnswer = manager.PasswordHasher.HashPassword("Very secret Answer to my secrect question");

// ... here store you hashed answer in database

When user goes back and tries to reset your password get stored hash of an answer and compare it to the newly provided answer by the user:

PasswordVerificationResult isValid = manager.PasswordHasher.VerifyHashedPassword(hashedAnswer, "Hello, this is the wrong answer");

if(PasswordVerificationResult.Success)
{
     // reset password, answer is correct
}

Something like this.

However, I'm not a fan of secret questions/answers. They are inherently flawed from the security point of view. Your answer becomes yet another password and this one is much more guessable than your normal password, because the question provides a hint. I'd recommend reading through excellent article from Troy Hunt about password resetting - it touches topic of secret questions/answers.