Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method
of confirming users' claimed identities by using a combination of two different factors: 1) something they know,
2) something they have, or 3) something they are.
Before the user's TwoFactorEnabled property is set, the user configures
a second factor. The first factor is the user's password which is something they know. The second factor must be
"something they have" or "something they are". Something they have is a physical object in the possession of the
user, such as a USB stick with a secret token, a bank card, a key, etc. Something they are is a physical characteristic
of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
Something they have is easier to implement and most people have a mobile phone.
Using SMS or email to send a verification code qualifies as something the user has but requires transmission
of the code at the time of verification. Authenticator apps generate a time-based one-time password (TOTP).
The TOTP is a 6 digit code which is a hash of the key and the current time. The key is transferred only once
during the account setup. See the 2FA Authenticating article in this series.
Admins cannot set a user's 2FA enabled because they do not possess the second factor. A user could get locked
out of their account if they lose their phone or inadvertently delete the account in the authenticator app. An
administrator should be allowed to disable a user's TwoFactorEnabled property
after a verified request from the user. The edit user page in the UWIP is accessible to administrators only. I added
TwoFactorEnabled to the input model and a checkbox to the html. Notice the checkbox is disabled when
TwoFactorEnabled is false.
I enjoy writing these articles. It often enhances and clarifies my coding. I create research projects
to analyze and compose the articles before I publish them. The projects are the result of
a lot of refactoring and are provided with a MIT license. Registered users can download the
projects from Manage > Assets.