A sample that showcases how to implement Two-Factor authentication in a Web API using an external Authenticator app.
- Open the appsettings.json file and set the connection string to the database
- Run the application
- Call
/api/auth/registerto register a new user - Call
/api/auth/loginto get a user token (this is not the JWT and expires after 5 minutes) - Call
/api/auth/qrcodewith the user token to get the QR Code to add the account to the Authenticator app (note: the QR Code can be obtain only once, this is by design in this sample) - Call
/api/auth/validatewith the user token and the OTP code to get the actual JWT
The built-in support for Two-Factor authentication in ASP.NET Core lacks some features. We may want to handle the other options that are provided by the RFC 6238, for example:
- Getting the time step of OTP verification to check that the code has only been validated once
- Defining the window of time steps that are considered acceptable for validation
In this case, it is possible to take a look to Otp.Net and use it to implement the OTP verification.