ASP.NET Core 3.1 - 2FA Admin Override

Ken Haggerty
Created 08/31/2020 - Updated 02/23/2021 23:58

This article will describe the implementation of administrator override of a user's enabled 2FA. I will assume you have downloaded the ASP.NET Core 3.1 - Users Without Identity Project or created a new ASP.NET Core 3.1 Razor Pages project. See Tutorial: Get started with Razor Pages in ASP.NET Core. You should review the earlier articles of the Users Without Identity Project series.

Users Without Identity Project and Article Series

Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. Wikipedia®

Before the user's TwoFactorEnabled property is set, the user configures a second factor. The first factor is the user's password which is something they know. The second factor must be "something they have" or "something they are". Something they have is a physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc. Something they are is a physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc. Something they have is easier to implement and most people have a mobile phone.

Using SMS or email to send a verification code qualifies as something the user has but requires transmission of the code at the time of verification. Authenticator apps generate a time-based one-time password (TOTP). The TOTP is a 6 digit code which is a hash of the key and the current time. The key is transferred only once during the account setup. See the 2FA Authenticating article in this series.

Admins cannot set a user's 2FA enabled because they do not possess the second factor. A user could get locked out of their account if they lose their phone or inadvertently delete the account in the authenticator app. An administrator should be allowed to disable a user's TwoFactorEnabled property after a verified request from the user. The edit user page in the UWIP is accessible to administrators only. I added TwoFactorEnabled to the input model and a checkbox to the html. Notice the checkbox is disabled when TwoFactorEnabled is false.

Edit Admin / Users / Edit.cshtml.cs:
<div class="form-group">
    <div class="custom-control custom-checkbox">
        @if (Model.Input.TwoFactorEnabled)
            <input class="custom-control-input" asp-for="Input.TwoFactorEnabled" />
            <label class="custom-control-label" asp-for="Input.TwoFactorEnabled">
                @Html.DisplayNameFor(model => model.Input.TwoFactorEnabled)
            <input class="custom-control-input disabled" asp-for="Input.TwoFactorEnabled" disabled />
            <label class="custom-control-label disabled" asp-for="Input.TwoFactorEnabled">
                @Html.DisplayNameFor(model => model.Input.TwoFactorEnabled)
    <span asp-validation-for="Input.TwoFactorEnabled" class="text-danger"></span>
Edit User Page Desktop
Edit User Page Mobile

I added the TwoFactorEnabled property, hidden on smaller screens to the users' index page.

Users Index Page Desktop
Users Index Page Mobile
Update 02/23/2021

I added the Enhanced User Series' article links.

Article Tags:

2FA Authorization Model

Comment Count = 0

Please log in to comment.

Login Register
Logged in users receive web notifications.
Web Notifications