Simple, easy to use server-side two-factor authentication library for .NET that works with Google Authenticator
Install-Package GoogleAuthenticator
Additional examples at Google.Authenticator.WinTest and Google.Authenticator.WebSample
key should be stored by your application for future authentication and shouldn't be regenerated for each request. The process of storing the private key is outside the scope of this library and is the responsibility of the application.
using Google.Authenticator;
string key;
TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();
SetupCode setupInfo = tfa.GenerateSetupCode("Test Two Factor", "user@example.com", key, false, 3);
string qrCodeImageUrl = setupInfo.QrCodeSetupImageUrl;
string manualEntrySetupCode = setupInfo.ManualEntryKey;
imgQrCode.ImageUrl = qrCodeImageUrl;
lblManualSetupCode.Text = manualEntrySetupCode;
// verify
TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();
bool result = tfa.ValidateTwoFactorPIN(key, txtCode.Text)Added support for configuring the "time step". This is basically how often the code changes. The default used by most authenticator apps is 30 seconds, but some hardware devices use 60 seconds. You can now specify this in the constructor.
Added support for HMACSHA256 and HMACSHA512 as per the RFC spec. In testing it was found that several popular apps (such as Authy and Microsoft Authenticator) may not have support for these algorithms so care should be taken by the developer to ensure compatible apps are used.
Fixed an edge case where specifying an interval of 30 seconds to the Validate function would be treated as if you had passed in 0.
- Removed .NET 5 and added .NET 7 to test frameworks
- Updated dependencies for test runs
- Support ValidateTwoFactorPIN with iterationOffset as parameter
- Removed support for legacy .Net Framework. Lowest supported versions are now netstandard2.0 and .Net 4.6.2.
- All use of System.Drawing has been removed. In 2.5, only Net 6.0 avoided System.Drawing.
- Linux installations no longer need to ensure
libgdiplusis installed as it is no longer used. - Changed from using
EscapeUriStringtoEscapeDataStringto encode the "account title" as the former is obsolete in .Net 6. This changes the value in the generated data string froma@b.comtoa%40b.com. We have tested this with Google Authenticator, Lastpass Authenticator and Microsoft Authenticator. All three of them handle it correctly and all three recognise that it is still the same account so this should be safe in most cases.
Now runs on .Net 6.0.
Technically the QR Coder library we rely on still does not fully support .Net 6.0 so it is possible there will be other niggling issues, but for now all tests pass for .Net 6.0 on both Windows and Linux.
- Old documentation indicated specifying width and height for the QR code, but changes in QR generation now uses pixels per module (QR "pixel") so using a value too high will result in a huge image that can overrun memory allocations
- Don't use the secret key and
ManualEntryKeyinterchangeably.ManualEntryKeyis used to enter into the authenticator app when scanning a QR code is impossible and is derived from the secret key (discussion example) - With versions prior to 3.0 only, on linux, you need to ensure
libgdiplusis installed if you want to generate QR Codes. See codebude/QRCoder#227.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
