ASP.NET Core 3.1 - 2FA Admin Override


Ken Haggerty
Created 08/31/2020 - Updated 08/31/2020 06:30

This article will describe the implementation of administrator override of a user's enabled 2FA. I will assume you have created a new ASP.NET Core 3.1 Razor Pages project. See Tutorial: Get started with Razor Pages in ASP.NET Core. You should review the earlier articles of the Users Without Identity Project series.

Users Without Identity Project and Article Series

Access to the research project source code may be purchased on KenHaggerty.Com at Manage > Assets. A project which implements users without Identity has been published to demo.kenhaggerty.com. I enjoy writing these articles. It often enhances and clarifies my coding. The research project is a result of a lot of refactoring and hopefully provides logical segues for the articles. Thank you for supporting my efforts.

Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. Wikipedia®

Before the user's TwoFactorEnabled property is set, the user configures a second factor. The first factor is the user's password which is something they know. The second factor must be "something they have" or "something they are". Something they have is a physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc. Something they are is a physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc. Something they have is easier to implement and most people have a mobile phone.

Using SMS or email to send a verification code qualifies as something the user has but requires transmission of the code at the time of verification. Authenticator apps generate a time-based one-time password (TOTP). The TOTP is a 6 digit code which is a hash of the key and the current time. The key is transferred only once during the account setup. See the 2FA Authenticating article in this series.

Admins cannot set a user's 2FA enabled because they do not possess the second factor. A user could get locked out of their account if they lose their phone or inadvertently delete the account in the authenticator app. An administrator should be allowed to disable a user's TwoFactorEnabled property after a verified request from the user. The edit user page in the UWIP is accessible to administrators only. I added TwoFactorEnabled to the input model and a checkbox to the html. Notice the checkbox is disabled when TwoFactorEnabled is false.

Edit Admin / Users / Edit.cshtml.cs:
<div class="form-group">
    <div class="custom-control custom-checkbox">
        @if (Model.Input.TwoFactorEnabled)
        {
            <input class="custom-control-input" asp-for="Input.TwoFactorEnabled" />
            <label class="custom-control-label" asp-for="Input.TwoFactorEnabled">
                @Html.DisplayNameFor(model => model.Input.TwoFactorEnabled)
            </label>
        }
        else
        {
            <input class="custom-control-input disabled" asp-for="Input.TwoFactorEnabled" disabled />
            <label class="custom-control-label disabled" asp-for="Input.TwoFactorEnabled">
                @Html.DisplayNameFor(model => model.Input.TwoFactorEnabled)
            </label>
        }
    </div>
    <span asp-validation-for="Input.TwoFactorEnabled" class="text-danger"></span>
</div>
Edit User Page Desktop
Edit User Page Mobile

I added the TwoFactorEnabled property, hidden on smaller screens to the users' index page.

Users Index Page Desktop
Users Index Page Mobile

Article Tags:

2FA Authorization Model

Comment Count = 0

Please log in to comment or follow.

Login Register
Follow to get web notifications when new comments are posted to this article.
Logged in users receive web notifications for new articles, topics and assets.
Web Notifications