ASP.NET Identity brings the authentication and authorization to a new level. Based on the OWIN middleware, one can plug & play different authentication and authorization providers, f.x. OAuth, OpenID, simple forms authentication. The beauty of the new identity model is that it provides a unified interface to work with. One can write her own log-in providers that still rely on the same unified interface.
Besides the typical scenarios where a user logs in with her username and password, or Twitter/Facebook/Google, or maybe a two factor log-in with SMS/e-mail confirmation, there is another interesting one. In some cases you would want to enable users to log in with simple forms authentication to access a basic area of functionality, f.x. just reading data. On the contrary you would want to protect other areas of the web site where the user can edit sensitive information, f.x. his password. In this case you may want to require that the user logs in again – either with the same provider or with another one.
To solve this issue I decided to write a simple extension for ASP.NET Identity, which I called Double confirm identity. It provides a set of utility methods you can use to achieve the described scenario.
Why would you make your users log in twice?
Well, this can be discussed from two perspectives: security and usability. From the security’s perspective you would want to make sure the system communicates with the right person. For example, one can log in on a public computer and click “remember me” by accident. When another person uses the same computer, she could open the web site and discover that she is logged in as another person. If she, in this case, tries to edit something, she would be prompted to log in again.
From the usability’s perspective you would want to let your users log in as quickly as possible to your web site, so that they do not get annoyed. By doing this you allow them to browse not so critical information. If they, however, try to view or edit some sensitive areas, you can make them log in again, either with the same provider or with another one.
Here is an example of a workflow for a mobile company user where you can rely on this extension:
- The user logs in with his username and password
- After successful authentication the user is redirected to his profile page where he can see a report of his mobile usage
- The user wants to change his mobile plan on-line
- The user is required to log in again with a national identification provider (f.x., NemID for Denmark)
- After successful log-in the system can be 99% sure that the right user will make the request.
And here is the piece of code one would need to use the extension.
Step 1: Register the OWIN middleware
public partial class Startup
public void ConfigureAuth(IAppBuilder app)
RedirectPath = new PathString("/Account/DoubleConfirmIdentity")
Step 2: Use DoubleConfirmIdentityAttribute to mark the protected controller actions
Step 3: After successful log-in call ApplicationSignInManager.DoubleConfirmIdentityAsync(..) and provide the logged-in ClaimsIdentity
You can see a working example on the GitHub’s repository.
How it works
As ASP.NET Identity is based on claims, when a user logs in second time, a new special claim is added to his identity. DoubleConfirmIdentityAttribute checks whether this special claim exists and allows access to the annotated controller action only if it does so.
This little extension allows you to require that users log in twice (maybe with a different provider) to confirm their identity. Do not hesitate to fork me and send me pull requests, if you like the idea and would like to contribute to develop it. I am very open to suggestions, comments and ideas 🙂