Two-step verification with SMS with ASP.

This article will show how to initiate two-step verification using SMS SMS

Create an ASP. NET 5 Project

At the outset, create a new ASP. NET Web Application using Visual Studio 2015:

In the next step, select the Website project template in ASP. Templates, and in the right panel, confirm that individual authentication is selected:

Here, the project has been created, which may take a few minutes to load, note that some of the resources being downloaded are indicated in the Visual Studio status bar, and Visual Studio downloads some of the files it deems necessary as part of the application solution.

Running the application

After the project is loaded, run the application and you will see the following page:

Two-step verification with SMS SMS

This tutorial uses Twilio, but you can also use any other SMS technology provider.

1. Create Twilio Account
2. Copy the SID and Auth token from the Account tab
3. From the Numbers tab page, copy your Twilio phone number
4. Make sure the above two items are available in your application
5. Add a Twilio NuGet package to your application
6. Add code in messageservices to send SMS SMS messages

 Public StaticTask Sendsmsasync (stringNumberstringmessage) {    //Plug in your SMS service here to send a text message.    varTwilio =NewTwiliorestclient ("Yourtwiliosid","Yourtwiliotoken"); varresult = Twilio. SendMessage ("Yourtwiliophonenumber", number, message); returnTask.fromresult (0);}

Note: Twilio is not available in Dnxcore50 because Twilio does not contain this version of the NuGet package, and if you need to use it in this version, you can use the Twilio rest API

Note: Do not write the account information directly in the code, the above to do the knowledge as far as possible to keep the code concise, in practice, you need to use Secret Manager to process the confidential information

Turn on two-step verification

The application already contains code that can be verified twice, and the steps below show how to open it:,

1. Open the index.cshtml template in the Views/manage directory

2. Uncomment the code so that the user can enter their own phone number:

<DT>Phone Number:</DT><DD>@ (model.phonenumber?? "None") [@if (Model.phonenumber! = null) {<aAsp-controller= "Manage"asp-action= "Addphonenumber">Change</a>            @: &nbsp;|&nbsp;            <aAsp-controller= "Manage"asp-action= "Removephonenumber">Remove</a>} else {<aAsp-controller= "Manage"asp-action= "Addphonenumber">Add</a>    }    ]</DD>

3. Uncomment the following code to enable the user to turn on or off two-step verification:

<DT>Two-factor Authentication:</DT><DD>@if (model.twofactor) {<formAsp-controller= "Manage"asp-action= "Disabletwofactorauthentication"Method= "POST"class= "Form-horizontal"role= "form">                <text>Enabled<inputtype= "Submit"value= "Disable"class= "Btn Btn-link" />                </text>            </form>} else {<formAsp-controller= "Manage"asp-action= "Enabletwofactorauthentication"Method= "POST"class= "Form-horizontal"role= "form">                <text>Disabled<inputtype= "Submit"value= "Enable"class= "Btn Btn-link" />                </text>            </form>    }    </DD>

Using two-factor authentication to log in applications

Run the application to demonstrate two-step verification:

1. Register a new user for the application:

2. In the upper navigation bar, click your username email address:

3. Add a phone number:

4. At this point, if everything is OK, you will receive a text message from the number obtained above:

5. Enter the verification code you received in the page:

6. Submit the page, the phone number will be displayed on the User Information page:

7. Click Enable to turn on two-step verification:

8. Exit, and re-login with this user name and password, verify that the user name password passed, will jump to a page that lets you choose the authentication method, if you have other two-way authentication, such as QR code or email, there will be a corresponding option in the drop-down list:

9. Finally click Submit, enter the verification code received, login success:

Disable accounts to prevent brute force

We recommend that you use the two-factor authentication when the account is disabled, once the user log on, each attempt to fail will be logged, once the number of errors set (default is five), the current account will be disabled for 5 minutes, the following configuration will be disabled after 10 user logon failure account for 10 minutes:

Services. configure<identityoptions> (Options    = timespan.fromminutes (ten);     Ten ;});

Original address: http://docs.asp.net/en/latest/security/2fa.html

Use ASP. NET identity to implement two-step verification with SMS