Search code examples
c#asp.netregistrationaccount

How to create a validation code for account setup that is provided by the company to an approved user?

I am trying to create a website that when a person registers with the site they have to have an access pin (or code) to complete creating the account. The person creating the account in a sense would be submitting an application to receive permission to view the data. I understand how to block anonymous users, but want a code generated that is sent to an employee which they would review the application to view the data and would determine whether to send the approval code. To add, I'm hoping to have the key as a rotating key which has to be provided by our company for people to create an account with us.

What I'm hoping to have once the account has been approved that the page is as follows:

Email Address

Password

Account Passcode (The part I'm wondering on how to tackle)

The email address and password I know they are built-in functions for these first two; however, looking at having a passcode to activate the account which has to be provided by the company after they have verified that the user falls within our guidelines for acceptable usage.

Edit: The data itself isn't confidential and just best practices and how to guides to using our medical products we support. The main focus is to keep patients from finding the information on the internet and performing self-treatment. No vital information, secrets, or confidential information is used.

To add, it would almost be like having an owner's manual for a vehicle that you only want a certified mechanic to use because you're afraid of the average joe misunderstanding the information, using something incorrectly, or ends up hurting themselves from improper use of the tools.

Solution

  • I believe the core of your problem is that you do not separate authentication from authorization.

    I work in the health care industry as well. The way we secure data is the following:

    1. Anyone can register on our application. Once they are registered however, they only have access to features and data that require no security.
    2. Another application is only accessible by our staff. This application allows our staff to grant and revoke privileges for users.
    3. We have a procedure for establishing which user account. This is authentication, and is up to you to figure out. Identity verification is a large and complex problem that is way outside the scope of StackOverflow.
    4. Once we are confident that a user account really does belong to who they say they are, we grant privileges to the account.
    5. From this point on, the user can access medical data and secure features.

    Now if you want to persist in your PIN solution, you must keep the following in mind:

    First, the security of your PIN is directly related to its length. The PIN is a so-called shared secret in IT security parlance. Currently, the acceptable length of shared secrets is 256 bits according to OWASP. I would actually recommend that you read a lot of OWASP as it will guide you in how to secure your application.

    If after reading all this you still persist on using a PIN, I would recommend finding an entropy source to generate a GUID that your customers will trust.