Turn off 2-factor authentication without device
I've implemented 2-factor authentication in my ASP.NET Core application. Yesterday I implemented the use of recovery codes, to be used in case a user loses his device.
My question is actually pure theoretical.
If a user has used a recovery code, we don't want to disable the 2-factor authentication. But in order to disable 2FA, the user needs to generate a verification code using his mobile phone. So he will not be able to turn off 2FA in any way.
So the only thing to do for someone who has lost his device is to keep using backup codes, keep an eye that they don't run out, and generate new backup codes in time (which he has to write down again). Or ask the administrator to disable 2FA for him. But isn't there a better way to deal with this kind of cases?
I ended up doing the following:
Enable 2-factor authentication: Obviously, here you request a verificationcode
During login: Request verificationcode, but also allow
TwoFactorRecoveryCodeSignInAsync
- Disable 2-factor authentication: Allow both verificationcode and recoverycode
- Bypass 2-factor authentication for external logins + Generate new recoverycodes: Only allow verificationcode
- How can I make my Blazor Web App save the login infor entered as it would in InteractiveServer but still be able to use the HttpContext for login?
- Exchanging a google idToken for local openId token c#
- Is the ConfigureApplicationCookie(...) designed to allow us to configure an existing cookie by default in the default scheme (Cookies)?
- How to manage user claims?
- How can I use Dependency Injection in an ASP.NET Core ActionFilterAttribute?
- How to get Role Claims in asp.net core 6 web api?
- ASP.NET Core Web API - FluentValidationMvcExtensions.AddFluentValidation(IMvcBuilder, Action<FluentValidationMvcConfiguration>)' is obsolete
- Write and read string from MemoryStream
- How to Implement Polymorphic Request Bodies in ASP.NET Core Web API with Swagger UI?
- How to set up Automapper in ASP.NET Core
- What means skipNegotiation in SignalR HubConnection?
- BasePageModel in Razor Pages
- How to auto increment the version (eg. “1.0.*”) of a .NET Core project?
- Secrets inject securely Dockerfile during build .NET
- EF Core 8 does not merge entities
- How to use appsettings.json in Asp.net core 6 Program.cs file
- How to determine if asp.net core has been installed on a windows server
- .NET 8 Blazor Server - role authorization with Windows Authentication
- Should EFCore migrations be committed to version control?
- EF Core one-to-one relation returns one-to-many relation
- How to deal with Id property in DTO in ASP.NET Web API
- Get null in controller when implementing IEnumerable in ASP NET model
- .NET Core 3.1 GoogleSignIn -The authentication handler registered for scheme 'Bearer' is 'JwtBearerHandler' which cannot be used for SignInAsync
- How do I serve static files only to authorized users?
- .NET 7 and UseEndPoints()
- 'Unable to resolve service for type ¨Microsoft.entityFrameworkCore.DbContextOptions¨1[LibraryData.LibraryContext] while attempting to activate
- Require authenticated user in asp.net core but require custom policy in some actions require custom policy
- Stop request in CookieAuthenticationEvents.OnValidatePrincipal after response body has been written to
- IDX10603: The algorithm: 'HS256' requires the SecurityKey.KeySize to be greater than '128' bits. KeySize reported: '32'. Parameter name: key.KeySize
- Relation between Authorization middleware and filter Asp.net core