Thursday, April 28, 2011

multi-factor login with asp.net

hey everyone,

Has anyone created or read an article on creating a multi-factor login system for asp.net? The ideas would to be a have a security question after the login to validate the user. The security question would be something they would generate. Kinda similiar to the way some online banks do it.

From stackoverflow

  • Well, you wouldn't be able to use the built-in login controls for ASP.NET but rolling your own is easy enough. You would simply delay the call to FormsAuthentication.SetAuthCookie(...); until after the second page.

    chopps : so the loginurl would be the first login page...if passed sent to the second page..then set the formsauth cookie once the second piece is validated?
    Mark Brittingham : Right - the first page collects the User ID, for example. If a matching ID is found in the database, then a redirect to the second page is sent. On the second page, the user will enter their password (identify a picture, etc.). Assuming the password matches, you'll SetAuthCookie.
    chopps : Got it. I would just need to set some session variable that the user passed the first step so if someone tries to bypass the login process it they would be redirected to the second login page or to a error page.
    Mark Brittingham : Yes - that is right...you must not count on an argument passed in the URL! Anyone arriving without the appropriate session variable set would be redirected back to the signin page.
    chopps : Hey Mark and others, If you have a chance take a look at this little test project. I have it working but wouldn't mind any extra pair of eyes to see if it looks ok. http://is.gd/rekn
    chopps : i think i might have cleaned the code up a bit to much. On the validatelogin Page_Load it should look like this:
    chopps : if (!MySess.Current.IsFirstStepValidated) FormsAuth.RedirToLoginPage(); else if (MySess.Current.IsFirstStepValidate) if (MySess.Current.IsSecondStepValidate) Response.Redirect("default.aspx");
    chopps : code above abbreviated to make it fit in text area..sorry
    Mark Brittingham : Chopps - if you are on the second page, you'll just have the "if (!..IsFirstStepValidated) Response.Redirect(..); in the PageLoad. Then in the button handler where they enter the password, you'll redirect to the login destination. I don't think you'll even need to declare a session var for step 2.
    chopps : your right...the user at that point will be authenticated so I can use that to check if need be.

  • Our company has an ASP.NET security framework product that supports this multi-factor authentication just like you've described. The product, MemberProtect, is primarily designed for banking websites and applications, but the role-based security model will work with any membership website. You can download the free Lite edition to check it out and see example code in the included Visual Studio project and tutorials, both of which contain the source code.

    http://www.memberprotect.net

    Jason Sherrill InetSolution, Inc.

Posted by Ku XI at 8:01 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)