2FA with Nexmo SMS or SendGrid Email

Securing Your ASP.NET App with 2FA Using Nexmo SMS and SendGrid Email

Published August 10, 2016 by Sidharth Sharma

2FA (2 Factor Authentication) is a must nowadays to increase the security within your application. It is seen in all kinds of apps: from the signup process to user action verification. The most common types of 2FA are phone verification and email verification.

In this tutorial we’ll show how to set up 2FA in your .NET application using ASP .NET Identity, the Nexmo C# Client Library for SMS auth and the SendGrid C# Client for email auth.

If you just want to see the result you can take a look at the video or grab the code.

GitHub Icon for Commit Setup ASP .NET MVC application

Open Visual Studio and create a new ASP .NET MVC application. For this demo, we’ll delete the Contact & About sections from the default generated website.

GitHub Icon for Commit Install the Nexmo Client to your app via NuGet Package Manager

Add the Nexmo Client to your application via the NuGet Package Console.

GitHub Icon for Commit Install the SendGrid client via NuGet Package Manager

GitHub Icon for Commit Add Nexmo and SendGrid credentials

For the purpose of the demo we’ll put the Nexmo and SendGrid credentials in the <appSettings> section of the Web.config file. If we were developing this application for distribution we may chose to enter these credentials in our Azure portal.

GitHub Icon for Commit Plug in Nexmo in the SMS Service, SendGrid in the Email Service

Inside the IdentityConfig.cs file, add the SendGrid configuration in the SMSService method. Then, plug in the Nexmo Client inside the SMSService method of the IdentityConfig.cs file.

Remember to add the using directives for the Nexmo.Api and SendGrid namespaces, and any other namespaces that are flagged as missing.

GitHub Icon for Commit Add ‘SendEmailConfirmationTokenAsync()’ method to ‘AccountController’

Add the following method to your AccountController which will be called on user registration to send a confirmation email to the provided email address.

GitHub Icon for Commit Update ‘Register’ action method

Inside the Register method of the AccountController, add a couple properties to newly created variable of the ApplicationUser type: TwoFactorEnabled (true), PhoneNumberConfirmed (false). Once the user is successfully created, store the user ID in a session state and redirect the user to the AddPhoneNumber action method in the ManageController.

GitHub Icon for Commit Check DB for existing phone number and add SMS logic to the AddPhoneNumber action method

In the ManageController add the [AllowAnonymous] attribute to both the GET & POST AddPhoneNumber action methods. This gives the currently unregistered user access to the phone number confirmation workflow. Make a database query to check if the phone number entered by the user is previously associated with an account. If not, redirect the user to the VerifyPhoneNumber action method.

GitHub Icon for Commit Update VerifyPhoneNumber Action method

Add the [AllowAnonymous] attribute to the GET action method and delete everything in the method but the return statement that directs the verification flow,

Replace User.Identity.GetUserId() with Session["UserID"] in the method as shown below. If the user successfully enters the pin code, they are directed to the Index view of the ManageController. The User’s boolean property PhoneNumberConfirmed is then set to true.

GitHub Icon for Commit Check if the user has a confirmed email on Login

Back in the AccountController, update the Login() action method to check to see if the user has confirmed their email or not. If not, return an error message and redirect the user to the “Info” view. Also, call the SendEmailConfirmationTokenAsync() method passing in the user.Id and an email subject.

GitHub Icon for Commit Add Info View

Inside the Views/Account, create a new View named Info that the user will be redirected to if their email has not been confirmed. The view should contain the following code:

GitHub Icon for Commit Ensure 2FA Cannot be Bypassed

In the Views/Account/Login.cshtml delete the <div class="form-group"> containing the ‘Remember Me’ checkbox. In Views/Account/VerifyCode.cshtml delete the <div class="form-group"> for the “RememberBrowser” checkbox and the hidden RememberMe input. Delete the corresponding variable in each of the view models in AccountViewModels.cs: SendCodeViewModel and VerifyCodeViewModel. Finally, remove any usage of these variables (including method signatures) or where required replace the usage of these variables in the two with false. This will restrict the user from bypassing 2FA verification.

Conclusion

With that, you have a web app using ASP .NET Identity that is 2 Factor Authentication (2FA) enabled using Nexmo SMS and SendGrid Email as the different methods of verification.

SMS and email provide additional layers of security to correctly identify users and further protect sensitive user information. Using the Nexmo C# Client Library and SendGrid’s C# Client, you can add both SMS and email verification with ease.

Please grab the code and try it for yourself.

Feel free to send me any thoughts/questions on Twitter @sidsharma_27 or email me at [email protected]!

Nexmo Logo

Leave a Reply

Your email address will not be published.