ASP.NET Core 3.1 - 2FA Admin Override

This article will describe the implementation of administrator override of a user's enabled 2FA. I will assume you have downloaded the ASP.NET Core 3.1 - Users Without Identity Project or created a new ASP.NET Core 3.1 Razor Pages project. See Tutorial: Get started with Razor Pages in ASP.NET Core. You should review the earlier articles of the Users Without Identity Project series.

Before the user's TwoFactorEnabled property is set, the user configures a second factor. The first factor is the user's password which is something they know. The second factor must be "something they have" or "something they are". Something they have is a physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc. Something they are is a physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc. Something they have is easier to implement and most people have a mobile phone.

Using SMS or email to send a verification code qualifies as something the user has but requires transmission of the code at the time of verification. Authenticator apps generate a time-based one-time password (TOTP). The TOTP is a 6 digit code which is a hash of the key and the current time. The key is transferred only once during the account setup. See the 2FA Authenticating article in this series.

Admins cannot set a user's 2FA enabled because they do not possess the second factor. A user could get locked out of their account if they lose their phone or inadvertently delete the account in the authenticator app. An administrator should be allowed to disable a user's TwoFactorEnabled property after a verified request from the user. The edit user page in the UWIP is accessible to administrators only. I added TwoFactorEnabled to the input model and a checkbox to the html. Notice the checkbox is disabled when TwoFactorEnabled is false.

Edit Admin / Users / Edit.cshtml.cs:

<div class="form-group">
    <div class="custom-control custom-checkbox">
        @if (Model.Input.TwoFactorEnabled)
        {
            <input class="custom-control-input" asp-for="Input.TwoFactorEnabled" />
            <label class="custom-control-label" asp-for="Input.TwoFactorEnabled">
                @Html.DisplayNameFor(model => model.Input.TwoFactorEnabled)
            </label>
        }
        else
        {
            <input class="custom-control-input disabled" asp-for="Input.TwoFactorEnabled" disabled />
            <label class="custom-control-label disabled" asp-for="Input.TwoFactorEnabled">
                @Html.DisplayNameFor(model => model.Input.TwoFactorEnabled)
            </label>
        }
    </div>
    <span asp-validation-for="Input.TwoFactorEnabled" class="text-danger"></span>
</div>

I added the TwoFactorEnabled property, hidden on smaller screens to the users' index page.

Update 02/23/2021

I added the Enhanced User Series' article links.