4

I have implemented ASP.NET Identity 2.0.1 and I am using two-factor authentication for web based sign-ins and I am quite pleased with its usage and overall security.

However for mobile based devices which access the same web sites via the WebAPI 2, I am using OAuth2 Bearer Token authentication and of course there is no such concept as two-factor authentication with bearer token.

What is the recommended approach when one wants the same two-factor level of security on mobile devices as with web based sign-ins ? Am I missing something ?

Kjartan Valur Þórðarson
  • 1,189
  • 1
  • 13
  • 29
plippard
  • 375
  • 2
  • 3
  • 17

1 Answers1

2

I've done it this way

  1. User requests token (through OAuthAuthorizationServerProvider) without Two Factor Code - gets back access token with basic claim.
  2. User requests two factor code through post on another controller using this token. This controller method is protected by a claims check (checking the basic claim)
  3. User receives two factor code

  4. User requests new access token through the same token end point (passing the code is as query parameter).

    http://localhost:12345/api/token?code=abc

    body: {grant_type=password&username=username&password=password1}

  5. In OAuthAuthorizationServerProvider - You need to override GrantResourceOwnerCredentials and check for two factor code - if code is present and user creds are OK - Issue a new token with higher claim which permits access to other resources.

user3595571
  • 141
  • 6
  • can i preliminary return something from GrantResourceOwnerCredentials that would indicate that the code is missing? – Toolkit Feb 22 '16 at 19:44