Location: Kirby Cane (9 / NR35 2PR)
+44 7787 872860
david@coderslament.uk

Forum

In the round trip of life knowledge and honesty gets you complete

Please or Register to create posts and topics.

Mini Deliverable for JADER Ltd - 2FA - on subcontract to Jolene Kearse (Available for hire)

  1. I, @hkdave95, of JADER Ltd commissioned Jolene who was open to hire to work on a C# 2FA + Microsoft Authenticator App solution.
  2. Jolene accepted the commission.
  3. We spent a good few hours over about a week learning some things about 2FA...And setting up projects of varying types to test various theories as to why it was not working.
  4. Without giving too much away - this is a secure part of my program and I have made a custom implementation away from the Microsft Standard.
  5. Ok so I shall put a few code snippets in.
  6. The TOTP library I used is OtpNet
  7. This relates to Snippet 1. 
    1. Against the user we store a Unique code, in this case a Guid. Calling it a TOTPSecret. This is combined with some other information (described later) which is used via a barcode to add an entry into the Microsoft Authenticator App. Note: ToString("N") strips the dashes out of the Guid.
    2. We found some code on the internet to convert String to Base32String and make it a byte array so that the Totp library can absorb it and return a code to compare to the one the user login in gets from the Appand sends to the validation Controller
  8. This relates to Snippet 2.
    1. Note the OtpUri line. I think that this is the area I had most difficulty with. Once I took a free format version of creating this information and then put it into this call to get the relevant Barcode data it added the entry to the App.
    2. You also see me storing the Unique secret with the user identity record. The same secret is sent to the Microsoft Authenticator App via barcode to be stored there too enabling accurate matching of browser entry, controller calculation (calling Totp server) and Totp server being called from App.

I really am pleased for spending time on this and asking another coder for help.

All for Now and one for all.

@hkdave95

Snippet 1:

if (loUser != null && loUser.Load(this._oDbContext) && loUser._gTOTPSecret != Guid.Empty)
{
    string lsSecret = loUser._gTOTPSecret.ToString("N");
    byte[] laSecret = Base32Encoding.ToBytes(Booking.Library.Classes.Encryption.Base32.ToBase32String(Encoding.ASCII.GetBytes(lsSecret)));
    OtpNet.Totp loTotp = new Totp(laSecret);
    string lsTotpCompute = loTotp.ComputeTotp();
    if (lsTotpCompute != loCaptchaData._n2FACode.ToString("000000"))
    {
        return Json(new { bResult = false, sMessage = "2FA Authentication failed!" });
    }
}

Snippet 2:

if (loUser._gTOTPSecret == Guid.Empty)
{
    loUser._gTOTPSecret = Guid.NewGuid();
    await loUser.Update(this._oSecurityManager);
}
loSetup2FAData._s2FAValue = (new OtpNet.OtpUri(OtpType.Totp, Encoding.ASCII.GetBytes(loUser._gTOTPSecret.ToString("N")), loUser.UserName, Booking.Library.Classes.Constants._sCompanyName)).ToUri().AbsoluteUri;

 

 

To be clear: Snippet 1 is the server test when logging in / Snippet 2 is the server setup part.

Also this is not the way Microsoft Identity part of the program dictates you use Totp and 2fa. However, 10 programmers in a room make 9 ways forward ... Who is right and who is wrong.

(Do right - Do wrong) + Do different = Luck.

Spend it wisely my friends.

#dodifferent is the motto of the University of East Anglia a fine learning institution of this region.