Many of you all may have
bit confusion with ASP.NET Identity V2 like how it is implementing
its new features especially its two factor authentications. There are
lots of people, who have huge curiosity to know about this feature
and may be you are worried with the approach Microsoft has taken.
However, ASP.NET Identity v2 is still not released, but this blog is
all about the publicly obtainable nightly builds.
Second Factor For
Authentication – Email
In the ASP.NET Identity’s
new sample template application, you would find two different
delivery mechanisms configured for two factor authentication – one
through SMS to the users’ phone and the other one is through users’
registered email account.
Lots of people are
surprised using email as an option for two factor authentication
because they were understood two
factor authentication something like that they need to present two
factors from something they have like password, key or biometrics.
However,
using email as a second factor does not get two factor
authentications. For instance, imagine any attacker, who compromises
the user’s email, well it is quite difficult, but it happens very
often. The attacker has done this once, but it is sure that he is in
the position to cut off the email based two factor authentication
token.
Moreover, the password of
user is also compromised as the attacker can also issue a password
reset that can be confirmed through the user’s email. So, when it
comes to control the user’s email, it frustrates both password as
well as the two factor authentication code.
However, as the second
factor the mobile phone of user is used, the user’s email is
negotiation the attacker would
also need to compromise his mobile phone in order to access the
application. So, it is the point of two factor authentication
that needs more efforts of the attacker.
For lots of people, using
an email does not seem very strong, so it is better to disable the
email based two factor authentication and make use of mobile phone
delivery mechanism.
Another
One is Time Based Two Factor Authentication Codes:
ASP.NET
identity uses RFC6238 for the two factor authentication codes so that
it can generate these values. Mainly, the way it works as the code
can be determined based upon the clock time. However, for the
configuration purpose the code will remain same.
Providing
information on this, the window of time is mainly based upon the
server clock time and not on the time the code was requested. It
means from 2pm to 2:05pm, the code will have steady value, but when
the clock suddenly hits 2:05 pm, it code will be different, but it
will be not changes until 2:10pm. We can say that it is one of the
great ideas as it is similar to how those RSA key chain code
generators work.
ASP.NET
identity took this approach so that they would not have to store
anything in the database for the two factor authentication code. It
is a transaction, but unluckily it is wrong database since it makes
developers’ job easier at the expense of user friendliness.
Two
Factor Authentication Code Generation & All Your Database:
So,
it is crucial that you remember how you should store passwords –
the basis is that an attacker has pwnd your database. It means, it
can turn out lots of inputs to seed the algorithm that I mention
above for the time-based two factor authentication code generation.
It
means, if any attacker is having an access to users’ record in the
database that they can calculate the exact same two factor
authentication code, which ASP.NET identity generates. So, it seems
little better for all those ASP.NET users, who were little worried
about ASP.NET identity v2. To get more information about ASP.NET Development, you can click here.
No comments:
Post a Comment