I have trying to implment one time registration verification & daily login using SMS OTP for my app using asp.net core identity implementation.
It is one time token, which should expire in 15 minutes if not used
User should request it again in case its expired or lost
Searching around for it, all the implementation provide details about MFA or Google Authenticator based verification, where this scenario is slightly different.
The Token will not be generated by the Server, and not the Authenticator app.
I need to store token along with its genrated at time.
The token will be 6 digit SMS.
The scenario is more similar to password less auth
mentioned here, but then the token in that case is not stored, I need to store it with Validity, not sure how to extend .net core identity to match above requirement.
This is fairly standard way of phone number authentication
I know this is not a standard SO format, but I am at loss from where to start
What is SMS OTP verification? OTP or One Time Password is a temporary authentication code sent via SMS to a user's registered mobile number. When a user logs in to an app or makes a transaction online, the system will automatically generate and send an OTP.
Because administration is so easy, SMS and email OTPs are often used as a means of granting short-term access when deploying physical tokens or when having a user download an authenticator app is undesirable or too much of a hassle. More Secure than Traditional Passwords
SMS OTP is an especially fast, secure and uncomplicated way to complete 2FA and reduces the risk of fraud. At SMSGlobal we pride ourselves on providing our customers with a robust messaging gateway, quality customer service and support throughout the whole experience. Contact us on 1300 883 400 or [email protected]
SMS OTP and HTTP header enrichment have been around for a long time without any major changes to the technologies themselves, so concerns that they have been overrun with time are a given. SMS OTP has a less-than-ideal user experience.
One-Time Passwords (OTP) add a layer of security in the form of Two Factor Authentication (2FA or TFA) to confirm identity. Unique, automated and time-sensitive passwords are sent as a method to verify who is trying to complete an action, like login or approve payment online.
I know this is an old question, but I found myself here with the same problem, and information about this is surprisingly thin on the ground. Likely as Microsoft recommend using (2FA) authenticator apps, using a Time-based One-time Password Algorithm (TOTP) rather than an OTP with SMS/Email.
Not the intended purpose, but nevertheless the following will allow you to generate and save a time limited (3 minutes) 6 digit OTP, associate it with a user and then use it to verify them using ASP.NET Core Identity.
GenerateChangePhoneNumberTokenAsync
var code = await _userManager.GenerateChangePhoneNumberTokenAsync(user, model.PhoneNumber);
https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.usermanager-1.generatechangephonenumbertokenasync
and
VerifyChangePhoneNumberTokenAsync
bool valid = await _userManager.VerifyChangePhoneNumberTokenAsync(user, code, model.PhoneNumber);
https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.usermanager-1.verifychangephonenumbertokenasync
This can be seen being implemented in the documentation posted by Erik & paulsm4
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/2fa?view=aspnetcore-1.1&viewFallbackFrom=aspnetcore-3.1
A link to the code https://github.com/dotnet/AspNetCore.Docs/tree/master/aspnetcore/security/authentication/2fa/sample/Web2FA
A link to the controller where this is implemented https://github.com/dotnet/AspNetCore.Docs/blob/master/aspnetcore/security/authentication/2fa/sample/Web2FA/Controllers/ManageController.cs
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With