When deploying an app to production for the first time (for example using Asp.Net Identity for user management and Entity Framework Core for an ORM) and there is a need for an initial administrator account to be created after it is deployed, what is the best way to achieve this securely? All of the options I can think of below are not perfect:
Is there any standard way of doing this I may have missed?
The pattern will depend on your use case, and how you expect the app to be deployed. You need to consider the risk profile of the setup environment.
In general, hard coded values are a bad idea, particularly for anything network facing. There are also some issues with automatic "no users" detection as a trigger - as it makes deleting all the existing users into an attack vector.
Common models include:
If using SSO, federated auth or similar, rely on the authentication platforms mechanisms to deal with this if possible.
Installer setup - some part of the installation / deployment process enbles setting an initial credential.
"first run" - when the app / site is first accessed, some kind of setup process runs, allowing you to configure the first user and any other initial setup.
log token - the application genenerates some kind of temp credential and logs it when it first starts - this allows anyone with log access to login with it. May be used to build on security of "first run".
enable temp user in config- define a user credential in a static config file, which is intended to be used to setup, then removed.
In any case where a temp credential is used, it should be diminished as far as possible - ie. single use, time restricted, least privillage.