This article will describe utilities for implementing a successful FIDO project. I will assume you have downloaded the
FREE ASP.NET Core 3.1 - FIDO Utilities Project or created a new ASP.NET Core 3.1 Razor Pages project. I won't use
Identity or Individual User Accounts. See
Tutorial: Get started with Razor Pages in ASP.NET Core.
FIDO Utilities Project and Article Series
The ASP.NET Core 3.1 - FIDO Utilities Project (FUP) is a collection of utilities I use in the ASP.NET Core 5.0 - Users
Without Passwords Project (UWPP). I have upgraded the FUP with Bootstrap v5 and Bootstrap Native v4. FUP
version 2.1 features SingleUser Authentication, Admin Page with Send Email Tests, ExceptionEmailerMiddleware,
The SMTP Settings Tester is updated and now located in the authorized Pages > Admin folder. The EmailSender
and AES Cipher Demo are also updated. Registered users can download the source code for free on KenHaggerty.
Com at Manage > Assets.
The UWPP is published at Fido. KenHaggerty. Com.
I have upgraded the FUP with Bootstrap v5 and Bootstrap Native v4. FUP version 2.1 features SingleUser
Offcanvas Partial Demo, Path QR Code Demo, and Copy and Paste Demo. The SMTP Settings Tester is updated
and now located in the authorized Pages > Admin folder. The EmailSender and AES Cipher Demo are also updated.
While testing and debugging the new versions, I found the Microsoft. AspNetCore. Mvc. Razor.
RuntimeCompilation NuGet package extremely helpful. I have had issues with runtime compilation in the past,
but I implemented it in this project with new guidance from MS Docs with no issues. See:
Razor file compilation in ASP.NET Core
I am developing a research project and article series named Users Without Passwords about
FIDO (Fast IDentification Online) UAF (Universal Authentication Framework),
also known as
The registration and login processes involve communication between the server, client-js, authenticator,
and user. The server provides a unique code called a challenge to the client. The client transforms the challenge
to a UInt8Array expected by the authenticator. The client requests the user's login name. The challenge and
username are used to register or verify a public key with the authenticator. The client sends the response from
the authenticator to the server. The response includes the challenge which is decoded from the UInt8Array to
verify a match to the server's original code. If the challenge is verified the response is decoded and verified.
If the response is verified, it is stored, and action is implemented like create or login the user.
The FIDO processes involve a lot of things that can go wrong and I would like to know when it does. A notice of
something going right is also nice. By far, my most popular article is
ASP.NET Core 2.2 - SMTP EmailSender Implementation. I have added a SendAdminEmail function by adding
an AdminEmail setting and injecting IHttpContextAccessor. This allows access to the current HttpContext properties
like UserAgent, Anonymized IP, Path and QueryString inside the service. See the
ASP.NET Core 3.1 - SMTP EmailSender article.
I developed an email settings verifier which allows you to test email settings and displays the runtime settings
and settings from appsettings. json and appsettings. development. json.
The first oops message in the Users Without Passwords Project was a Bootstrap-jQuery modal with no
dismiss button, a link to start over, a 'static' backdrop and keyboard=false. I liked it enough to develop a
success message to present before automatically navigating to the goal. I liked that enough to develop a
global message modal by adding the html for a modal to
_Layout. cshtml and a
showMessageModal() function to site.js. I liked that enough to develop a message-modal.js
which dynamically creates the html. Variables reference the created modal components which allow the
message modal to co-exists with other modals. It can be loaded in
_Layout. cshtml for global
access or used locally by loading from the page. The
showMessageModal() function has
defaults and parameters. See the ASP.NET Core 3.1 - Message Modal article.
The project includes a Modal Message Generator which dynamically creates the minimal signature for the
showMessageModal function with examples.
Most but not all browsers support Credentials and PublicKeyCredential which are required by FIDO processes.
You can detect support for Credentials and PublicKeyCredential. I developed a getWebAuthnError() function in
site.js which also notifies the lack of https on hosts other than localhost. This function returns an error or empty
string. If an error is detected, you can disable buttons for FIDO functions or inform and redirect the user with the
The server must persist the challenge code between the initial request and the callback. I use the Cookie
TempDataProvider in this project for the proof of concept. The UWPP implements the PageModel's
ASP.NET Core 5.0 - The TempData Challenge.
The challenge must be properly encoded and decoded to survive the round trip from the server to the client-js
and back. I use a new guid for the unique code which needs to be ASCII encoded to work well
MDN - Base64.
Base64 encoding uses the = char to pad the string to a multiple of four. I use the IdentityModel Base64Url
encoder to convert the guidArray without padding.
I simulate an authenticator by converting the challenge from the server to a UInt8Array before posting the serialized
challenge array to the callback. The callback decodes the posted challenge and compares it to the original code
we stored in TempData. See the ASP.NET Core 3.1 - Round Trip Challenge article.
The project includes a Challenge demo which implements the Cookie TempDataProvider and UInt8Array conversion.
I added The TempData Demo which demonstrates the TempData attribute and ITempDataDictionary implemented in
features in the project.
I developed an Ajax Postback Control which updates the heading of a control from a list of controls on a page.
It allows users to rename authenticators in the Users Without Passwords Project and I include a demonstration
in the FIDO Utilities Project.
The project includes a Spinner Generator which uses a svg image in a partial view to display a waiting or
loading state. You can configure the size speed and color of the Spinner control.
With fresh encryption experience I decided to implement a cipher for database connection strings in appsettings.
json. I added an Advanced Encryption Standard (AES) cipher and an encrypted connection string demo to the
I started my FIDO research over 8 months ago when I purchased a Security Key NFC by Yubico. My laptop has
a fingerprint scanner which is supported by Windows 10 Hello. Windows 10 Hello is certified as a FIDO2
authenticator for passwordless sign-in on the web. Windows 10 Hello also supports a PIN and face recognition
with a compatible IR camera. See the ASP.NET Core 3.1 - FIDO2 Authentecators article.
The FIDO processes are often complex with a lot of moving parts. I decided to create this project to describe some
of the fundamentals for a successful process. I will refer to this series from the Users Without Passwords Project
series which can now focus on users and authenticators.
Successfully completed. Thank you for contributing.
Contribute to enjoy content without advertisments.
Something went wrong. Please try again.