How to Implement Two Factor Authentication in MVC with Google Authenticator

by Ken Miller Tech Writer

These days, more and more websites are providing the option of two factor authentication for your login process. This process allows the authentication of users with the use of two of three authentication factors which are deemed valid. The three valid factors are- something known by the user like PIN, passwords, etc.; something used by the user like ATM card, phone, smart card, RSA keys, etc.; and something like biometric data which includes fingerprints. This two factor authentication has been embraced by quite a few organizations including Dropbox, Hotmail, GitHub and Google, providing this as a security measure that is optional.

In two factor authentication you have to use a combination of at least two factors. Factors like mobiles or RSA keys are best and most common sources used for the generation of one time passwords which is changed over time. For example the code of RSA keys is changed every minute while it is changed by Google Authenticator every 30 seconds. This helps in mitigating chances of attackers intercepting the web traffic. The software based Google Authenticator is an authentication token based on two factors as is apparent from the name itself. This is available on Blackberry, iOS and Android operating systems. A 6 digit counter or time based number is provided by it which acts as 2nd factor for the authentication.

.net application development, asp.net developer, .net developer india, hire dot net developers, .net application development services, net development, asp.net development, hire asp.net developers, .net development, .net development india

.net application development, asp.net developer, .net developer india, hire dot net developers, .net application development services, net development, asp.net development, hire asp.net developers, .net development, .net development india

Now Google Authenticator works by implementing algorithms defined in RFC 6238 which is time-based implementation of the authentication process and RFC 4226 which is counter-based one. The user and the server have to agree on some secret key that will be used as seed value for hashing function. This key can be typed by the user in Google Authenticator or QR code can be used for the automatic setting up of the application. Then any of the algorithms are used by Authenticator and a code is generated for the entering during the process. The very same algorithm as well as secret key is then used by the server for the checking of the code. After agreeing on the secret key, the application generates a 6 digit key which will be the sole data which will be passing between the server and client, without the data passing through servers of Google.

Generation of one-time passwords requires three types of information- counter number, the output's number of digits which are limited to 6 as well as the secret key. For the generation iteration number has to be converted to byte[]. With every authentication success iteration number will be incremented on server and client. Hashing method can be used for that and this hash has to be computed for the counter's current value. The code's next part leads to extraction of binary value of an integer of 4 bytes and then it is shrunk to the required number of digits. One-time password generated based on time can be done following the same principles as the above, except for the automatic definition of time intervals based on counter. A time interval of 30 seconds as well as Unix epoch is required by Authenticator.

After knowing about the working of the code you have to know about how to use it.

1. Creating MVC Web Application- Open Visual Studio 2010 to use “New Project” wizard for creation of new MVC Web Application. Select Internet application there which will result in creation of default Account controller.

2. Creating TwoFactorProfile Class- A Profile class inherited from ProfileBase can be created to store 2 factor secret.

3. Modifying web.config- The element inherited from the TwoFactorProfile created by us can be modified.

4. Modifying AccountController- AccountController has to be modified in some places like Register action so that the user can be sent to ShowTwoFactorSecret page for the setting up of Google Authenticator. ShowTwoFactorSecret action can be created and the LogOn action changed for checking of code that has been provided by user for the validity assurance.

5. Modifying AccountModels- A field can be added to LogOnMode1 class for the working of ShowTwoFactorSecret and new LogOn actions. Then new TwoFactorSecret class can be created.

6. Modifying LogOn.cshtml View- The LogOn view can then be modified for the addition of new TwoFactorCode field.

7. Creating ShowTwoFactorSecret view- Finally the ShowTwoFactorSecret view has to be created by using a QR code's image for the user to scan; the secret can be manually entered as a string.

After you register in the application as new user, a QR code must be scanned with the app or the code under the QR code must be entered manually. After logging in there will be a new field for the entering of Google Authenticator Code. At this point the code must be entered; after entering the code, enter username and password correctly and there will be no problems in logging in. This would help you leverage the benefits of asp.net development.

We provide .net application development services. If you would like to discuss with a certified .net web developer from our team, please get in touch with us at Mindfire Solutions.