Two factor authentication using identity server 4

Question

How to implement a two factor authentication using Identity Server 4? The token end point returns a token with a username and password / client credentials. Can we customize those end points?

Both the methods as per the sample does not allow to customize the end point:

>     var tokenClient = new TokenClient(disco.TokenEndpoint, "ro.client", "secret");
>     var tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync("[email protected]",
> "Pass123$", "api1");

Is it possible to achieve 2 factor authentication using either asp.net identity Or EF Core implementation?

Answer 1

This shouldn't be a problem at all. When a user is redirected to the Identity Server for login in, if 2FA is enabled then he/she would have to enter the authenticator's code before the Identity Server returns the response back. I have created a repository and blog post series that explain in detail the related concepts. In the AccountController of the IdentityServer you have to check if 2FA is enabled and ask the user to proceed by providing an authenticator code before returning the response.

var signInResult = await _signInManager.PasswordSignInAsync(model.UserName, model.Password, true,
    lockoutOnFailure: false);

if (signInResult.RequiresTwoFactor)
{
    result.Status = Status.Success;
    result.Message = "Enter the code generated by your authenticator app";
    result.Data = new {requires2FA = true};
    return result;
}

You will also need a TwoFactorAuthenticationController that supports all the 2FA tasks (enable/disable 2FA, sign in with authenticator code/recovery tokens, reset authenticator, etc...)