An ABP module that adds TOTP (Time-based One-Time Password) two-factor authentication (MFA) with:
- Google / Microsoft Authenticator support
- QR Code & manual setup key
- Optional MFA enforcement middleware
- Testable Application + Web integration tests
- Enable / Disable / Reset TOTP-based MFA
- Admin can reset MFA for users in User Management
- QR Code provisioning (
otpauth://) - Manual setup key (for devices without camera)
- Optional enforcement middleware (force all users to enable MFA)
- Integrates with ABP Account Profile page (
/Account/Manage) - Designed for easy mocking & testing
In your host web module:
[DependsOn(
typeof(Rm.TwoFactorAuth.Web.TwoFactorAuthWebModule)
)]
public class YourHostWebModule : AbpModule
{
}No additional pipeline code is required in the host project. The module registers required components.
{
"RmTwoFactorAuth": {
"Issuer": "Rm.TwoFactorAuth",
"Enforcement": {
"Enabled": true,
"EnrollPath": "/account/manage",
"ApiReturnUnauthorizedInsteadOfRedirect": true
}
}
}| Key | Description |
|---|---|
Issuer |
App name shown in Authenticator apps |
Enforcement.Enabled |
Force all authenticated users to enable MFA |
EnrollPath |
Page users are redirected to when MFA is required |
ApiReturnUnauthorizedInsteadOfRedirect |
APIs return 401 instead of redirect |
-
User logs in normally
-
User visits /Account/Manage
-
MFA section is shown:
- QR Code
- Manual setup key
-
User scans QR or enters setup key
-
User enters 6-digit verification code
-
MFA is enabled
If enforcement is enabled:
- Non-MFA users are automatically redirected to the enroll page.
This module integrates with the ABP Account Profile page by bundling a script into the Manage page:
Configure<AbpBundlingOptions>(options =>
{
options.ScriptBundles.Configure(
typeof(ManageModel).FullName,
configuration =>
{
configuration.AddFiles("/Pages/Account/Components/ProfileManagementGroup/TwoFactorAuthentication/Default.js");
});
});- Account Profile (
/Account/Manage): shows QR code + manual setup key when MFA is not enabled, and shows Disable/Reset actions when enabled.
- User Login verify MFA Code (
/Account/LoginWith2fa): Processes the second stage of the authentication flow. It validates the user-submitted MFA token and establishes a secure session upon successful verification.
- Identity Users (
/Identity/Users): adds a "Reset MFA" action in the user row actions for administrators.
| Method | Path | Description |
|---|---|---|
| GET | /api/rm/two-factor/setup |
Returns MFA status |
| GET | /api/rm/two-factor/qr |
Returns QR code image |
| POST | /api/rm/two-factor/enable |
Enable MFA |
| POST | /api/rm/two-factor/disable |
Disable MFA |
| POST | /api/rm/two-factor/reset |
Reset MFA (new key) |
| POST | /api/rm/two-factor/reset-id |
Admin reset MFA by userId |
204 No Content– success (controller returns Task)400 Bad Request– invalid verification code (throws AbpValidationException)401 Unauthorized– blocked by enforcement middleware in API mode (when enabled)
For users without a camera:
- A manual setup key is provided
- The Copy button should copy a whitespace-free key Example (copy version, no spaces):
USS4S 5PCFP NEYUA KGSJE I45PZ CQRG2 Q5
//after app.UseAuthorization();
//using Rm.TwoFactorAuth.Web.Enforcement;
app.UseEnforcementTwoFactorAuth();When enabled:
- All authenticated users must enable MFA
- Allowed paths are configurable via AllowPathPrefixes
- Default allowlist typically includes:
/account/login/account/manage/api/rm/two-factor/api/abp- Static assets (
/css,/js, ...)
This prevents redirect loops and keeps ABP infrastructure endpoints working.
Install only Rm.TwoFactorAuth.Web. The other packages are pulled in automatically as dependencies.
