Summary: My task is to decide how the user authentication should be implemented for the cloud-based project that should be evolved from the older WebForms application. I am at the beginning of the decision process, but I have to decide soon; so, I will appreciate your experience.
Why WebForms? The application is based on the older WebForms code, this way it should start from the WebForms code. The problem is that the application should be ready rather quickly, so the code must be reused as much as possible. Also, we do not have developers that have working knowledge with MVC. Some trade-offs are necessary. However, the log-in process will be new, and it can be implemented using the MVC approach.
What is new: The older code was built to run on the intranet web server, the users signed-in using simple login names. Security things were not that complex. The application uses the pre-ASP.NET Identity -- really old, and that part of the application should be replaced. There will be more groups of users that should work in the separate workspace (think of companies).
New acount -- authentication: The user should use valid e-mail address to ask for registration. For the new user, the e-mail should be validated as existing, and then it should be approved by the administrator dedicated for the group.
Authorization: A user will be allowed to work only with some data. Think in terms of using a single database where the user of one group should be allowed to access only the part dedicated to the group. However, there may be power users that may have more rights.
Should I focus on using ASP.NET Identity? If yes, (not being dependent on the older versions) should I start with ASP.NET Identity 3 that is currently in 3.0.0-beta7 (see https://github.com/aspnet/Identity.git), or should I stick with version 2?
ASP.NET Identity is Microsoft's main thrust for identity and membership and their newest identity library. If you are concerned about continued support then this is the library for you.
The ASP.NET Identity library supports your need for claims based authorization (in your case using roles/groups) and recording email addresses confirmation. This is available out of the box.
I would not recommend using ASP.NET Identity 3 however, as this is designed with ASP.NET vNext in mind, not something you want to do with your legacy system.
Stick with ASP.NET Identity v2.x