-->By Rick Anderson and Swiss-Devs
Warning
Two factor authentication (2FA) authenticator apps, using a Time-based One-time Password Algorithm (TOTP), are the industry recommended approach for 2FA. 2FA using TOTP is preferred to SMS 2FA. For more information, see Enable QR Code generation for TOTP authenticator apps in ASP.NET Core for ASP.NET Core 2.0 and later.
This tutorial shows how to set up two-factor authentication (2FA) using SMS. Instructions are given for twilio and ASPSMS, but you can use any other SMS provider. We recommend you complete Account Confirmation and Password Recovery before starting this tutorial.
View or download sample code. How to download.
Create a new ASP.NET Core project
Create a new ASP.NET Core web app named Web2FA with individual user accounts. Follow the instructions in Enforce HTTPS in ASP.NET Core to set up and require HTTPS.
Create an SMS account
Create an SMS account, for example, from twilio or ASPSMS. Record the authentication credentials (for twilio: accountSid and authToken, for ASPSMS: Userkey and Password).
Netcore Solutions's project sends SMSes to spread word about the centre's skilling initiative and direct applicants to the nearest training centres Mumbai: Girish Chaturvedi, group vice-president. The runtime on Android and iOS for.NET apps is Mono. Mono is constantly changing (importing code from.NET source base) and of course.NET Core uses a lot of code from Mono (low level Unix codebase).
Speaking with MediaNama, Netcore CEO Girish Nair said that via a partnership with Verisign, the company is introducing Phone.cc, which allows each user with an Indian mobile number (beginning with. Mobile being your customers’ omnipresent companion, SMS presents you with immense opportunities to strengthen existing customer connects in a multi-channel environment, primarily while sharing time-sensitive content with them. Actually I wanted to render mobile views for mobile device and desktop views for desktop device – Sweetie Jan 7 '20 at 7:20 I think it can be done in middleware on the same way. – zholinho Jan 8 '20 at 21:44.
Figuring out SMS Provider credentials
Twilio:
From the Dashboard tab of your Twilio account, copy the Account SID and Auth token.
ASPSMS:
From your account settings, navigate to Userkey and copy it together with your Password.
We will later store these values in with the secret-manager tool within the keys SMSAccountIdentification and SMSAccountPassword.
Specifying SenderID / Originator
Twilio:From the Numbers tab, copy your Twilio phone number.
ASPSMS:Within the Unlock Originators Menu, unlock one or more Originators or choose an alphanumeric Originator (Not supported by all networks).
We will later store this value with the secret-manager tool within the key SMSAccountFrom.
Provide credentials for the SMS service
We'll use the Options pattern to access the user account and key settings.
- Create a class to fetch the secure SMS key. For this sample, the
SMSoptionsclass is created in the Services/SMSoptions.cs file.
Set the SMSAccountIdentification, SMSAccountPassword and SMSAccountFrom with the secret-manager tool. For example:
- Add the NuGet package for the SMS provider. From the Package Manager Console (PMC) run:
Twilio:
Install-Package Twilio
ASPSMS:
Install-Package ASPSMS
- Add code in the Services/MessageServices.cs file to enable SMS. Use either the Twilio or the ASPSMS section:
Twilio:
ASPSMS:
Configure startup to use SMSoptions
Add SMSoptions to the service container in the ConfigureServices method in the Startup.cs:
Enable two-factor authentication
Open the Views/Manage/Index.cshtml Razor view file and remove the comment characters (so no markup is commented out).
Log in with two-factor authentication
- Run the app and register a new user
- Tap on your user name, which activates the
Indexaction method in Manage controller. Then tap the phone number Add link.
- Add a phone number that will receive the verification code, and tap Send verification code.
- You will get a text message with the verification code. Enter it and tap Submit
If you don't get a text message, see twilio log page.
- The Manage view shows your phone number was added successfully.
- Tap Enable to enable two-factor authentication.
Test two-factor authentication
Log off.
Log in.
The user account has enabled two-factor authentication, so you have to provide the second factor of authentication . In this tutorial you have enabled phone verification. The built in templates also allow you to set up email as the second factor. You can set up additional second factors for authentication such as QR codes. Tap Submit.
Enter the code you get in the SMS message.
Clicking on the Remember this browser check box will exempt you from needing to use 2FA to log on when using the same device and browser. Enabling 2FA and clicking on Remember this browser will provide you with strong 2FA protection from malicious users trying to access your account, as long as they don't have access to your device. You can do this on any private device you regularly use. By setting Remember this browser, you get the added security of 2FA from devices you don't regularly use, and you get the convenience on not having to go through 2FA on your own devices.
Account lockout for protecting against brute force attacks
Account lockout is recommended with 2FA. Once a user signs in through a local account or social account, each failed attempt at 2FA is stored. If the maximum failed access attempts is reached, the user is locked out (default: 5 minute lockout after 5 failed access attempts). A successful authentication resets the failed access attempts count and resets the clock. The maximum failed access attempts and lockout time can be set with MaxFailedAccessAttempts and DefaultLockoutTimeSpan. The following configures account lockout for 10 minutes after 10 failed access attempts:
Confirm that PasswordSignInAsync sets lockoutOnFailure to true:
By Steve Smith
Mobile apps can communicate with ASP.NET Core backend services. For instructions on connecting local web services from iOS simulators and Android emulators, see Connect to Local Web Services from iOS Simulators and Android Emulators.
The Sample Native Mobile App
This tutorial demonstrates how to create backend services using ASP.NET Core MVC to support native mobile apps. It uses the Xamarin Forms ToDoRest app as its native client, which includes separate native clients for Android, iOS, Windows Universal, and Window Phone devices. You can follow the linked tutorial to create the native app (and install the necessary free Xamarin tools), as well as download the Xamarin sample solution. The Xamarin sample includes an ASP.NET Web API 2 services project, which this article's ASP.NET Core app replaces (with no changes required by the client).
Features
The ToDoRest app supports listing, adding, deleting, and updating To-Do items. Each item has an ID, a Name, Notes, and a property indicating whether it's been Done yet.
Netcore Mobile Phones & Portable Devices Driver
The main view of the items, as shown above, lists each item's name and indicates if it's done with a checkmark.
Tapping the + icon opens an add item dialog:
Tapping an item on the main list screen opens up an edit dialog where the item's Name, Notes, and Done settings can be modified, or the item can be deleted:
This sample is configured by default to use backend services hosted at developer.xamarin.com, which allow read-only operations. To test it out yourself against the ASP.NET Core app created in the next section running on your computer, you'll need to update the app's RestUrl constant. Navigate to the ToDoREST project and open the Constants.cs file. Replace the RestUrl with a URL that includes your machine's IP address (not localhost or 127.0.0.1, since this address is used from the device emulator, not from your machine). Include the port number as well (5000). In order to test that your services work with a device, ensure you don't have an active firewall blocking access to this port.
Creating the ASP.NET Core Project
Create a new ASP.NET Core Web Application in Visual Studio. Choose the Web API template and No Authentication. Name the project ToDoApi.
The application should respond to all requests made to port 5000. Update Program.cs to include .UseUrls('http://*:5000') to achieve this:
Note
Make sure you run the application directly, rather than behind IIS Express, which ignores non-local requests by default. Run dotnet run from a command prompt, or choose the application name profile from the Debug Target dropdown in the Visual Studio toolbar.
Add a model class to represent To-Do items. Mark required fields with the [Required] attribute:
The API methods require some way to work with data. Use the same IToDoRepository interface the original Xamarin sample uses:
For this sample, the implementation just uses a private collection of items:
Configure the implementation in Startup.cs:
At this point, you're ready to create the ToDoItemsController.
Tip
Learn more about creating web APIs in Build your first Web API with ASP.NET Core MVC and Visual Studio.
Creating the Controller
Add a new controller to the project, ToDoItemsController. It should inherit from Microsoft.AspNetCore.Mvc.Controller. Add a Route attribute to indicate that the controller will handle requests made to paths starting with api/todoitems. The [controller] token in the route is replaced by the name of the controller (omitting the Controller suffix), and is especially helpful for global routes. Learn more about routing.
The controller requires an IToDoRepository to function; request an instance of this type through the controller's constructor. At runtime, this instance will be provided using the framework's support for dependency injection.
This API supports four different HTTP verbs to perform CRUD (Create, Read, Update, Delete) operations on the data source. The simplest of these is the Read operation, which corresponds to an HTTP GET request.
Reading Items
Netcore Mobile Phones & Portable Devices Drivers
Requesting a list of items is done with a GET request to the List method. The [HttpGet] attribute on the List method indicates that this action should only handle GET requests. The route for this action is the route specified on the controller. You don't necessarily need to use the action name as part of the route. You just need to ensure each action has a unique and unambiguous route. Routing attributes can be applied at both the controller and method levels to build up specific routes.
The List method returns a 200 OK response code and all of the ToDo items, serialized as JSON.
You can test your new API method using a variety of tools, such as Postman, shown here:
Creating Items
By convention, creating new data items is mapped to the HTTP POST verb. The Create method has an [HttpPost] attribute applied to it and accepts a ToDoItem instance. Since the item argument is passed in the body of the POST, this parameter specifies the [FromBody] attribute.
Inside the method, the item is checked for validity and prior existence in the data store, and if no issues occur, it's added using the repository. Checking ModelState.IsValid performs model validation, and should be done in every API method that accepts user input.
The sample uses an enum containing error codes that are passed to the mobile client:
Test adding new items using Postman by choosing the POST verb providing the new object in JSON format in the Body of the request. You should also add a request header specifying a Content-Type of application/json.
The method returns the newly created item in the response.
Updating Items
Modifying records is done using HTTP PUT requests. Other than this change, the Edit method is almost identical to Create. Note that if the record isn't found, the Edit action will return a NotFound (404) response.
To test with Postman, change the verb to PUT. Specify the updated object data in the Body of the request.
This method returns a NoContent (204) response when successful, for consistency with the pre-existing API.
Deleting Items
Deleting records is accomplished by making DELETE requests to the service, and passing the ID of the item to be deleted. As with updates, requests for items that don't exist will receive NotFound responses. Otherwise, a successful request will get a NoContent (204) response.
Note that when testing the delete functionality, nothing is required in the Body of the request.
Common Web API Conventions
As you develop the backend services for your app, you will want to come up with a consistent set of conventions or policies for handling cross-cutting concerns. For example, in the service shown above, requests for specific records that weren't found received a NotFound response, rather than a BadRequest response. Similarly, commands made to this service that passed in model bound types always checked ModelState.IsValid and returned a BadRequest for invalid model types.
Once you've identified a common policy for your APIs, you can usually encapsulate it in a filter. Learn more about how to encapsulate common API policies in ASP.NET Core MVC applications.
Additional resources