ASP.NET Core 3.1 - 2FA Admin Override
Download KH Authenticator

.NET MAUI App for Windows and Android
Online Registration and Authentication
No Password Or Email Address Required!
Certified Providers
KenHaggerty.Com Users Without Passwords Users With Passwords Users Without IdentityThis article will describe the implementation of administrator override of a user's enabled 2FA. I will assume you have downloaded the ASP.NET Core 3.1 - Users Without Identity Project or created a new ASP.NET Core 3.1 Razor Pages project. See Tutorial: Get started with Razor Pages in ASP.NET Core. You should review the earlier articles of the Users Without Identity Project series.
Users Without Identity Project and Article Series
Creation Series
- ASP.NET Core 3.1 - Users Without Identity
- ASP.NET Core 3.1 - User Entity
- ASP.NET Core 3.1 - Password Hasher
- ASP.NET Core 3.1 - User Management
- ASP.NET Core 3.1 - Admin Role
- ASP.NET Core 3.1 - Cookie Validator
- ASP.NET Core 3.1 - Concurrency Conflicts
- ASP.NET Core 3.1 - Must Change Password
- ASP.NET Core 3.1 - User Database Service
- ASP.NET Core 3.1 - Rename Related Entities
2FA Series
- ASP.NET Core 3.1 - 2FA Without Identity
- ASP.NET Core 3.1 - 2FA User Tokens
- ASP.NET Core 3.1 - 2FA Cookie Schemes
- ASP.NET Core 3.1 - 2FA Authenticating
- ASP.NET Core 3.1 - 2FA Sign In Service
- ASP.NET Core 3.1 - 2FA QR Code Generator
- ASP.NET Core 3.1 - Admin 2FA Requirement
- ASP.NET Core 3.1 - 2FA Admin Override
Enhanced User Series
- ASP.NET Core 3.1 - Enhanced User Without Identity
- ASP.NET Core 3.1 - 2FA Recovery Codes
- ASP.NET Core 3.1 - Login Lockout
- ASP.NET Core 3.1 - Created And Last Login Date
- ASP.NET Core 3.1 - Security Stamp
- ASP.NET Core 3.1 - Token Service
- ASP.NET Core 3.1 - Confirmed Email Address
- ASP.NET Core 3.1 - Password Recovery
Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. Wikipedia®
Before the user's TwoFactorEnabled property is set, the user configures a second factor. The first factor is the user's password which is something they know. The second factor must be "something they have" or "something they are". Something they have is a physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc. Something they are is a physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc. Something they have is easier to implement and most people have a mobile phone.
Using SMS or email to send a verification code qualifies as something the user has but requires transmission of the code at the time of verification. Authenticator apps generate a time-based one-time password (TOTP). The TOTP is a 6 digit code which is a hash of the key and the current time. The key is transferred only once during the account setup. See the 2FA Authenticating article in this series.
Admins cannot set a user's 2FA enabled because they do not possess the second factor. A user could get locked out of their account if they lose their phone or inadvertently delete the account in the authenticator app. An administrator should be allowed to disable a user's TwoFactorEnabled property after a verified request from the user. The edit user page in the UWIP is accessible to administrators only. I added TwoFactorEnabled to the input model and a checkbox to the html. Notice the checkbox is disabled when TwoFactorEnabled is false.
Edit Admin / Users / Edit.cshtml.cs:
<div class="form-group"> <div class="custom-control custom-checkbox"> @if (Model.Input.TwoFactorEnabled) { <input class="custom-control-input" asp-for="Input.TwoFactorEnabled" /> <label class="custom-control-label" asp-for="Input.TwoFactorEnabled"> @Html.DisplayNameFor(model => model.Input.TwoFactorEnabled) </label> } else { <input class="custom-control-input disabled" asp-for="Input.TwoFactorEnabled" disabled /> <label class="custom-control-label disabled" asp-for="Input.TwoFactorEnabled"> @Html.DisplayNameFor(model => model.Input.TwoFactorEnabled) </label> } </div> <span asp-validation-for="Input.TwoFactorEnabled" class="text-danger"></span> </div>
I added the TwoFactorEnabled property, hidden on smaller screens to the users' index page.
Update 02/23/2021
I added the Enhanced User Series' article links.
Comments(0)