About Two-Factor Authentication

Aref K.
A free video tutorial from Aref K.
Principal Solutions Architect
4.3 instructor rating • 10 courses • 62,046 students

Lecture description

If your website includes sensitive data you better add an extra layer of security to it. One good way of making sure that a legitimate user is logging into the system is to use Microsoft Authenticator Mobile Application. Users will have this application on their mobile devices. The app will generate codes which will expire in a short time. Upon logging in, the users will have to enter this code into a text box and you allow the user to login only if the code is valid.

Learn more from the full course

ASP.NET Core Identity and Security (SECOND EDITION)

Develop secure ASP.NET Core applications and protect them against cyber attacks

04:35:48 of on-demand video • Updated January 2020

  • Implementing Sign Up and Sign-in using with E-mail confirmation
  • Implementing Tw-Factor Authentication
  • Authorization with Roles
  • Implementing Claim-based authorization with Policies
  • Adding Facebook Login to Your ASP .NET Core Websites
  • Protect your web application against Cross-Site Scripting Attack (XSS)
  • Protect your web application against Cross-Site Request Forgery Attacks
  • Protect your web application against SQL Injections
  • Define Cross Origin Resource Sharing (CORS) policies
  • Protect your web application against Open Redirect Attacks
  • Web Application Firewalls (WAF) and Cloudflare
English [Auto] In this lecture, we want to learn about multifactor authentication or MFA and understand how it works so normally to let people log into a system, either we ask about something that they know. For example, we ask for a combination of username and password. If the username and password matched, then the user can log in. Sometimes on top of this, we ask for something that people have. For example, normally people carry their mobile phone with them. So some websites, once you login with your username and password, they will send you a randomly generated code. They send it to your mobile phone and then they ask you to put that code back into a form. And if the code matches the randomly generated code, then you will be logged in. The third day of authentication is using your fingerprints or your facial attributes. For example, sometimes when you go to airports, they scan your face or normally the new devices, the new laptops or new mobile phones, they can be unlocked with your fingerprint. These normally are called biometric devices. So if you use two of these together, for example, a combination of user name and password, we're sending a random code to someone's mobile phone that is called two factor authentication or two if a because you are using two different ways of authentication, if you use more than two ways, obviously that is multi factor authentication or MFA. However, to have a an MFA are used interchangeably. So don't be confused. If you see Taffet or Morfe on the Internet, 99 percent of times when you see Taffet or Morfe both meaned only Two-Factor authentication. And I haven't really seen many websites that they use more than two ways of authentication. In order to use Two-Factor authentication, using a randomly generated code, you have to use an authenticator application and mobile application. The most common ones are Microsoft Authenticator app, which you can download from either Google Play store or Apple Store, or you can use Google authenticator app. It doesn't matter which one you use, they both will do the same thing. Or the system can generate a random number and send it to your mobile phone via SMS and then you put this number back in the form that the website provides to you. However, Microsoft doesn't recommend using a SMS because it's not deemed to be the safest option. The safest option is always using a mobile application that generates the random code for you, and that is what we are going to do in this course. Now let's have a look at the floor where we enable multifactor authentication, because to use multifactor authentication, you need to set it up first and enable it, and then you can use it in your login form. This sequence diagram shows how we enabled multifactor authentication. There are three actors in this diagram from left to right. We have the authenticator application. We have the user that wants to set up the multifactor authentication with their mobile phone. And we have the Web application, which is based on a Cygnet identity core. So in order to set up a multifactor authentication, first of all, the application has to generate a random code or token and the user goes to the mobile application and puts that random token in the mobile application. The mobile application uses that token to generate a code. This code is always valid. When that token is entered, it will not be valid for any other token. So the token is unique for that code. So the mobile application, the authentication application will generate a code and then the user gets the code, puts it back into a form, for example, and it gets passed to your application. The application uses one of the methods of that identity core. And if that method says the code is valid or the generated token, then it sends accept method back to the user. And that means that multifactor authentication is setup and the user can enable it in the user profile. So the next time they log in, multifactor authentication will be active in order to use multifactor authentication. Again, we have the same actors, however, they interact in a different order. So when a user wants to log in, they have to use their mobile and use the authenticated application. The authentication application, for example, Microsoft authenticator will generate a random code for them. These are randomly generated code and they are time based. And by default, if they are only valid for 30 seconds or so, every 30 seconds, these codes are regenerated. So you have 30 seconds to use the code, otherwise it becomes invalid. So you grab the code and then you put it in a box, for example, in a text box on the login form, and it gets passed through the application. The application validates it for you using the token that it has generated at the very beginning when you set up MFA. And then if it is valid, it lets you know and then you let the user to log in. Now, let's go to the next lecture and we set up multifactor authentication for our core application.