multi-factor login with asp.net

views:

109

answers:

+1 Q:

multi-factor login with asp.net

hey everyone,

Has anyone created or read an article on creating a multi-factor login system for asp.net? The ideas would to be a have a security question after the login to validate the user. The security question would be something they would generate. Kinda similiar to the way some online banks do it.

Well, you wouldn't be able to use the built-in login controls for ASP.NET but rolling your own is easy enough. You would simply delay the call to FormsAuthentication.SetAuthCookie(...); until after the second page.

Mark Brittingham 2009-04-04 03:27:33

so the loginurl would be the first login page...if passed sent to the second page..then set the formsauth cookie once the second piece is validated?

chopps 2009-04-04 03:59:48

Right - the first page collects the User ID, for example. If a matching ID is found in the database, then a redirect to the second page is sent. On the second page, the user will enter their password (identify a picture, etc.). Assuming the password matches, you'll SetAuthCookie.

Mark Brittingham 2009-04-04 21:30:58

Got it. I would just need to set some session variable that the user passed the first step so if someone tries to bypass the login process it they would be redirected to the second login page or to a error page.

chopps 2009-04-06 02:40:42

Yes - that is right...you must not count on an argument passed in the URL! Anyone arriving without the appropriate session variable set would be redirected back to the signin page.

Mark Brittingham 2009-04-06 03:19:50

Hey Mark and others, If you have a chance take a look at this little test project. I have it working but wouldn't mind any extra pair of eyes to see if it looks ok. http://is.gd/rekn

chopps 2009-04-07 16:19:43

i think i might have cleaned the code up a bit to much. On the validatelogin Page_Load it should look like this:

chopps 2009-04-07 16:39:27

if (!MySess.Current.IsFirstStepValidated) FormsAuth.RedirToLoginPage(); else if (MySess.Current.IsFirstStepValidate) if (MySess.Current.IsSecondStepValidate) Response.Redirect("default.aspx");

chopps 2009-04-07 16:40:51

code above abbreviated to make it fit in text area..sorry

chopps 2009-04-07 16:41:45

Chopps - if you are on the second page, you'll just have the "if (!..IsFirstStepValidated) Response.Redirect(..); in the PageLoad. Then in the button handler where they enter the password, you'll redirect to the login destination. I don't think you'll even need to declare a session var for step 2.

Mark Brittingham 2009-04-07 19:04:36

your right...the user at that point will be authenticated so I can use that to check if need be.

chopps 2009-04-08 16:38:29

Our company has an ASP.NET security framework product that supports this multi-factor authentication just like you've described. The product, MemberProtect, is primarily designed for banking websites and applications, but the role-based security model will work with any membership website. You can download the free Lite edition to check it out and see example code in the included Visual Studio project and tutorials, both of which contain the source code.

http://www.memberprotect.net

Jason Sherrill InetSolution, Inc.

Jason Sherrill 2010-09-28 18:54:46

ansaurus

tags:

views:

answers:

multi-factor login with asp.net

related questions