Simple, easy to use server-side/desktop two-factor authentication library for .NET that works with authenticator apps e.g. from Google, from Microsoft, Authy or LastPass.
Install-Package TwoFactorAuthenticator
Also see additional example projects at
- TwoFactorAuthenticator.WinformsExample
- TwoFactorAuthenticator.WpfExample
- TwoFactorAuthenticator.WebSample
key
should be stored by your application for future authentication and shouldn't be regenerated for
each request. The process of storing the private key is outside the scope of this library and is the
responsibility of the application.
using TwoFactorAuthenticator;
using TwoFactorAuthenticator.QrCoder;
string key = Guid.NewGuid().ToString().Replace("-", "").Substring(0, 10);
Authenticator tfa = new Authenticator();
QrCoderSetupCodeGenerator qrscg = new QrCoderSetupCodeGenerator { PixelsPerModule = 3 };
SetupCode setupInfo = tfa.GenerateSetupCode("Test Two Factor", "[email protected]", key, false);
string qrCodeImageUrl = setupInfo.GenerateQrCodeUrl(qrscg);
using (MemoryStream ms = new MemoryStream(setupCode.GetQrCodeImageData(qrscg)))
{
qrCodePictureBox.Image = Image.FromStream(ms);
}
this.setupInfo.Text = "Account: " + setupCode.Account + System.Environment.NewLine +
"Encoded Key: " + setupCode.ManualEntryKey;
Authenticator tfa = new Authenticator();
PasswordToken token = tfa.GetCurrentPIN(key);
using (var unsafeToken = UnsafeToken.FromPasswordToken(token))
{
string pin = unsafeToken.ToString();
}
// demo example: holding the code in memory is unsafe
byte[] digits = { 0, 1, 2, 3, 4, 5 };
Authenticator tfa = new Authenticator();
PasswordToken token = new PasswordToken();
// perform append when a single digit is entered by user
for (int i = 0; i < 6; i++)
result.AppendDigit(digits[i]);
bool result = tfa.ValidateTwoFactorPIN(key, token);
Upstream changes:
- Added support for configuring the "time step". This is basically how often the code changes. The default used by most authenticator apps is 30 seconds, but some hardware devices use 60 seconds. You can now specify this in the constructor.
- Added support for HMACSHA256 and HMACSHA512 as per the RFC spec. In testing it was found that several popular apps (such as Authy and Microsoft Authenticator) may not have support for these algorithms so care should be taken by the developer to ensure compatible apps are used.
- Fixed an edge case where specifying an interval of 30 seconds to the Validate function would be treated as if you had passed in 0.
- Support ValidateTwoFactorPIN with iterationOffset as parameter
- see Issue #31: Addressed a problem of PasswordToken.FromPassCode with codes having leading zeros.
- see PR #14: Updated System.Security.Cryptography.ProtectedData from 6.0.0 to 7.0.1.
- Breaking changes:
TwoFactorAuthenticator
should not be named like its namespace (created collision); new name is justAuthenticator
- Changed interface to use secured
PasswordToken
instead of primitive string
- Introduced
UnsafeToken
for generation / UI purposes - Introduced
FactorControl
for WinForms
- Forked and separated into two packages
- Lowest supported versions are now netstandard2.0 and .Net 4.7.2.
-
Ideally use PasswordToken.FromPassCode methods for low security, demonstration or test purposes only. Using this methods implies the passcode is held somewhere in memory by your code. This is most likely to be completely unprotected.
-
Don't use the secret key and
ManualEntryKey
interchangeably.ManualEntryKey
is used to enter into the authenticator app when scanning a QR code is impossible and is derived from the secret key (discussion example)