Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
124 lines (79 sloc) 5.55 KB
title author description ms.author ms.date uid
Enable QR Code generation for TOTP authenticator apps in ASP.NET Core
rick-anderson
Discover how to enable QR code generation for TOTP authenticator apps that work with ASP.NET Core two-factor authentication.
riande
08/14/2018
security/authentication/identity-enable-qrcodes

Enable QR Code generation for TOTP authenticator apps in ASP.NET Core

::: moniker range="<= aspnetcore-2.0"

QR Codes requires ASP.NET Core 2.0 or later.

::: moniker-end

::: moniker range=">= aspnetcore-2.0"

ASP.NET Core ships with support for authenticator applications for individual authentication. Two factor authentication (2FA) authenticator apps, using a Time-based One-time Password Algorithm (TOTP), are the industry recommended approach for 2FA. 2FA using TOTP is preferred to SMS 2FA. An authenticator app provides a 6 to 8 digit code which users must enter after confirming their username and password. Typically an authenticator app is installed on a smart phone.

The ASP.NET Core web app templates support authenticators, but don't provide support for QRCode generation. QRCode generators ease the setup of 2FA. This document will guide you through adding QR Code generation to the 2FA configuration page.

Two factor authentication does not happen using an external authentication provider, such as Google or Facebook. External logins are protected by whatever mechanism the external login provider provides. Consider, for example, the Microsoft authentication provider requires a hardware key or another 2FA approach. If the default templates enforced "local" 2FA then users would be required to satisfy two 2FA approaches, which is not a commonly used scenario.

Adding QR Codes to the 2FA configuration page

These instructions use qrcode.js from the https://davidshimjs.github.io/qrcodejs/ repo.

::: moniker-end

::: moniker range=">= aspnetcore-2.1"

  • Follow the instructions in Scaffold Identity to generate /Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.
  • In /Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml, locate the Scripts section at the end of the file:

::: moniker-end

::: moniker range="= aspnetcore-2.0"

  • In Pages/Account/Manage/EnableAuthenticator.cshtml (Razor Pages) or Views/Manage/EnableAuthenticator.cshtml (MVC), locate the Scripts section at the end of the file:

::: moniker-end

::: moniker range=">= aspnetcore-2.0"

@section Scripts {
    @await Html.PartialAsync("_ValidationScriptsPartial")
}
  • Update the Scripts section to add a reference to the qrcodejs library you added and a call to generate the QR Code. It should look as follows:
@section Scripts {
    @await Html.PartialAsync("_ValidationScriptsPartial")

    <script type="text/javascript" src="~/lib/qrcode.js"></script>
    <script type="text/javascript">
        new QRCode(document.getElementById("qrCode"),
            {
                text: "@Html.Raw(Model.AuthenticatorUri)",
                width: 150,
                height: 150
            });
    </script>
}
  • Delete the paragraph which links you to these instructions.

Run your app and ensure that you can scan the QR code and validate the code the authenticator proves.

Change the site name in the QR Code

::: moniker-end

::: moniker range=">= aspnetcore-2.1"

The site name in the QR Code is taken from the project name you choose when initially creating your project. You can change it by looking for the GenerateQrCodeUri(string email, string unformattedKey) method in the /Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs.

::: moniker-end

::: moniker range="= aspnetcore-2.0"

The site name in the QR Code is taken from the project name you choose when initially creating your project. You can change it by looking for the GenerateQrCodeUri(string email, string unformattedKey) method in the Pages/Account/Manage/EnableAuthenticator.cshtml.cs (Razor Pages) file or the Controllers/ManageController.cs (MVC) file.

::: moniker-end

::: moniker range=">= aspnetcore-2.0"

The default code from the template looks as follows:

private string GenerateQrCodeUri(string email, string unformattedKey)
{
    return string.Format(
        AuthenticatorUriFormat,
        _urlEncoder.Encode("Razor Pages"),
        _urlEncoder.Encode(email),
        unformattedKey);
}

The second parameter in the call to string.Format is your site name, taken from your solution name. It can be changed to any value, but it must always be URL encoded.

Using a different QR Code library

You can replace the QR Code library with your preferred library. The HTML contains a qrCode element into which you can place a QR Code by whatever mechanism your library provides.

The correctly formatted URL for the QR Code is available in the:

  • AuthenticatorUri property of the model.
  • data-url property in the qrCodeData element.

TOTP client and server time skew

TOTP (Time-based One-Time Password) authentication depends on both the server and authenticator device having an accurate time. Tokens only last for 30 seconds. If TOTP 2FA logins are failing, check that the server time is accurate, and preferably synchronized to an accurate NTP service.

::: moniker-end

You can’t perform that action at this time.