I'm looking into implementing two factor authentication in MVC, similar to Googles authenticator.
Since some users won't have two factor authentication setup, we want to use a two step process - one screen to enter the username and password, the other screen to enter the one time password.
My difficulty is how do you securely store the users username and password whilst they are entering their one time password? Currently we receive the password and immediately reject or issue a cookie, so we don't store the password anywhere. However, with two step we can't issue a cookie immediately because the user could then simply navigate to another action. Equally, I don't want to send the password back to the user as a hidden element in a form.
What is the standard practice for this situation?
The best I can think of is to store the username and password in the session, but I'm not sure how secure that is.
On the desktop, you access it by going to Settings > Security and Login(Opens in a new window). Under Two-Factor Authentication, click Edit on the right. On the next screen, select how you'd like to receive your second form of authentication: a text message, authenticator app, or physical security key.
U2F/WebAuthn Security Key Experts believe that U2F/WebAuthn Security Keys are the most secure method of authentication. Security keys that support biometrics combine the Possession Factor (what you have) with the Inherence Factor (who you are) to create a very secure method of verifying user identities.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person's devices or online accounts because, even if the victim's password is hacked, a password alone is not enough to pass the authentication check.
2FA can be vulnerable to several attacks from hackers because a user can accidentally approve access to a request issued by a hacker without acknowledging it. This is because the user may not receive push notifications by the app notifying them of what is being approved.
While an answer has already been accepted I thought I would add a different way. You don't need to log the user in when you validate their username and password combination, if they have provided the correct details all you need to store in the temporary data is their username or their profile if you want, then redirecting them to the second factor page, which only once they have provided the correct one time password do you actually log the user in.
This method avoids the need for having additional attributes, which can be a pain for consistency.
This is the relevant snippet on how to achieve it
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
var profile = MvcTFAProfile.GetProfile(model.UserName);
if (profile.UsesTwoFactorAuthentication)
{
TempData[CurrentUserTempDataKey] = profile;
TempData[RememberMeTempDataKey] = model.RememberMe;
return RedirectToAction("SecondFactor", new {returnUrl = returnUrl});
}
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
return RedirectToLocal(returnUrl);
}
}
// If we got this far, something failed, redisplay form
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
The following link contains all the details on how to implement this in ASP.NET MVC, the article targets Google Authenticator, which may not be what you're working with but the principle of how to log the user in etc. is the same; https://samjenkins.com/mvc-two-factor-authentication/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With