Search code examples
asp.net-corerecoverytwo-factor-authentication

Turn off 2-factor authentication without device

I've implemented 2-factor authentication in my ASP.NET Core application. Yesterday I implemented the use of recovery codes, to be used in case a user loses his device.

My question is actually pure theoretical.

If a user has used a recovery code, we don't want to disable the 2-factor authentication. But in order to disable 2FA, the user needs to generate a verification code using his mobile phone. So he will not be able to turn off 2FA in any way.

So the only thing to do for someone who has lost his device is to keep using backup codes, keep an eye that they don't run out, and generate new backup codes in time (which he has to write down again). Or ask the administrator to disable 2FA for him. But isn't there a better way to deal with this kind of cases?

2FA recovery using ASP.NET Core

Solution

  • I ended up doing the following:

    • Enable 2-factor authentication: Obviously, here you request a verificationcode

    • During login: Request verificationcode, but also allow TwoFactorRecoveryCodeSignInAsync

    Login 2-factor authentication 2-factor Recovery

    • Disable 2-factor authentication: Allow both verificationcode and recoverycode

    Disable 2-factor authentication

    • Bypass 2-factor authentication for external logins + Generate new recoverycodes: Only allow verificationcode

    enter image description here