TwoFactorAuthenticator

Simple, easy to use server-side/desktop two-factor authentication library for .NET that works with authenticator apps e.g. from Google, from Microsoft, Authy or LastPass.

Install-Package TwoFactorAuthenticator

Usage

Also see additional example projects at

• TwoFactorAuthenticator.WinformsExample
• TwoFactorAuthenticator.WpfExample
• TwoFactorAuthenticator.WebSample

key should be stored by your application for future authentication and shouldn't be regenerated for each request. The process of storing the private key is outside the scope of this library and is the responsibility of the application.

Generate setup code

using TwoFactorAuthenticator;
using TwoFactorAuthenticator.QrCoder;

string key = Guid.NewGuid().ToString().Replace("-", "").Substring(0, 10);

Authenticator tfa = new Authenticator();
QrCoderSetupCodeGenerator qrscg = new QrCoderSetupCodeGenerator { PixelsPerModule = 3 };

SetupCode setupInfo = tfa.GenerateSetupCode("Test Two Factor", "user@example.com", key, false);

string qrCodeImageUrl = setupInfo.GenerateQrCodeUrl(qrscg);

using (MemoryStream ms = new MemoryStream(setupCode.GetQrCodeImageData(qrscg)))
{
    qrCodePictureBox.Image = Image.FromStream(ms);
}

this.setupInfo.Text = "Account: " + setupCode.Account + System.Environment.NewLine +
                      "Encoded Key: " + setupCode.ManualEntryKey;

Generation

Authenticator tfa = new Authenticator();
PasswordToken token = tfa.GetCurrentPIN(key);
using (var unsafeToken = UnsafeToken.FromPasswordToken(token))
{
    string pin = unsafeToken.ToString();
}

Verification

// demo example: holding the code in memory is unsafe
byte[] digits = { 0, 1, 2, 3, 4, 5 };

Authenticator tfa = new Authenticator();
PasswordToken token = new PasswordToken();

// perform append when a single digit is entered by user
for (int i = 0; i < 6; i++)
    result.AppendDigit(digits[i]);

bool result = tfa.ValidateTwoFactorPIN(key, token);

History

1.2.0

Upstream changes:

• Added support for configuring the "time step". This is basically how often the code changes. The default used by most authenticator apps is 30 seconds, but some hardware devices use 60 seconds. You can now specify this in the constructor.
• Added support for HMACSHA256 and HMACSHA512 as per the RFC spec. In testing it was found that several popular apps (such as Authy and Microsoft Authenticator) may not have support for these algorithms so care should be taken by the developer to ensure compatible apps are used.
• Fixed an edge case where specifying an interval of 30 seconds to the Validate function would be treated as if you had passed in 0.
• Support ValidateTwoFactorPIN with iterationOffset as parameter

1.1.2

• see Issue #31: Addressed a problem of PasswordToken.FromPassCode with codes having leading zeros.

1.1.1

• see PR #14: Updated System.Security.Cryptography.ProtectedData from 6.0.0 to 7.0.1.

1.1.0

• Breaking changes:
  • TwoFactorAuthenticator should not be named like its namespace (created collision); new name is just Authenticator
  • Changed interface to use secured PasswordToken instead of primitive string
• Introduced UnsafeToken for generation / UI purposes
• Introduced FactorControl for WinForms

1.0.1

• Forked and separated into two packages
• Lowest supported versions are now netstandard2.0 and .Net 4.7.2.

Common Pitfalls

• Ideally use PasswordToken.FromPassCode methods for low security, demonstration or test purposes only. Using this methods implies the passcode is held somewhere in memory by your code. This is most likely to be completely unprotected.

• Don't use the secret key and ManualEntryKey interchangeably. ManualEntryKey is used to enter into the authenticator app when scanning a QR code is impossible and is derived from the secret key (discussion example)