4

Every time I see this brought up people confuse it with two factor authentication which is laid out in the new Identity 2.0 template. But is there a process in place to generate a usable (not 100 characters long) reset token for a user and deliver it through sms? Before I start to build my own method, I was hoping to see at least some advice on how to generate a secure token that is smaller (possible using PhoneNumberTokenProvider I assume??), and hopefully not have to alter my tables further.

This seems like the first thing you'd want to be able to do once you have a user with a verified phone number.

Precious Roy
  • 1,086
  • 1
  • 9
  • 19

1 Answers1

1

You can plug in a different UserTokenProvider to swap out the tokens for confirmation/reset password. You are free to use the built in PhoneNumberTokenProvider instead if you prefer generating a time based TOTP token.

The reason the default tokens are long, is that they are self signed tokens with their lifetime embedded in the token.

Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • How would you use the token generated by another token provider for confirmation on the ResetPasswordAsync() method the other token? Do these tokens never time out? – Precious Roy Jul 24 '14 at 18:03
  • 1
    The tokens contain its purpose (for confirmation or reset password), its expiration (1 day), and the user this token belongs to. – Hao Kung Jul 24 '14 at 18:46
  • for anyone still looking, i just answered the same question here http://stackoverflow.com/a/34308708/648484 – Souhaieb Besbes Dec 16 '15 at 09:52