Multi-Factor Authentication Design with IdentityServer4 and ASP.NET Core 2.0 (1)
Chapter 1
Currently, Almost of login system verify an account not just username/password also including with OTP through SMS as well as normal login is not safe anymore ..
ASP.NET / IdentityServer4 has built-in MFA, or in the case of above is 2FA. This article will introduce how to design and implement own MFA without build-in of ASP.NET / IdentityServer4.
The challenges are …
- Make RESTful Authentication
- No UI in Identity Server for Authentication.
- Stateless Authentication based on JWT.
- Enrollment process is unlimited. (2FA takes 2 steps)
- Each part can verify individually.
- All parts need to work together as steps of verification.
The challenges can be group into 3 groups
- Apply Extension Grants which is once of Grant Types of Identity Server as authentication.
- Apply JWT to be a Stateless Token between Client-Server, then set expiry time in each verification step.
- It is important to create a Verification Unit to work on it, and then release the Claims as output and forward to next Verification Unit to operate continuously. Put them together (Wired) as a pipeline using the Identifier. Finally, make the Secret and Hashing.
