CODEWITHSUNDEEP
asp.net-mvcasp.net-identity
Adil Khalil
Adil Khalil

Reputation: 2131

Add hashed security columns to ASP.NET Identity (MVC 5)

We are using Identity Framework 2.1.0 and plan to add Security Question and Answer to User Registration Page. We will have a separate table for Questions and would like to add 2 more columns to AspNetUsers

  1. SecurityQuestionId
  2. SecurityAnswer

I want to keep the 'SecurityAnswer' column hashed, since we already have a SecurityStamp Column in this table, can we use this for Hashing and de-hashing?

If Yes, How? If No, What are the alternatives?

Your help is much appreciated, any reference, pointer is appreciated.

Upvotes: 3

Views: 1816

Answers (2)

trailmax
trailmax

Reputation: 35106

To hash your security answer, you can use UserManager.PasswordHasher:

var manager = // get instance of UserManager

var hashedAnswer = manager.PasswordHasher.HashPassword("Very secret Answer to my secrect question");

// ... here store you hashed answer in database

When user goes back and tries to reset your password get stored hash of an answer and compare it to the newly provided answer by the user:

PasswordVerificationResult isValid = manager.PasswordHasher.VerifyHashedPassword(hashedAnswer, "Hello, this is the wrong answer");

if(PasswordVerificationResult.Success)
{
     // reset password, answer is correct
}

Something like this.

However, I'm not a fan of secret questions/answers. They are inherently flawed from the security point of view. Your answer becomes yet another password and this one is much more guessable than your normal password, because the question provides a hint. I'd recommend reading through excellent article from Troy Hunt about password resetting - it touches topic of secret questions/answers.

Upvotes: 3

jimSampica
jimSampica

Reputation: 12410

There is no "de-hashing" because hashing is a one-way process.

What I would do is piggyback off of the Identity password hash function from the UserManager. Hash your security answer and store it in your new column.

var hashedAnswer = UserManager.PasswordHasher.HashPassword("My Secret Answer");

Then when you need to verify the true security answer against the user provided input...

var result = UserManager.PasswordHasher.VerifyHashedPassword(hashedValue, userInput);

If both answers are the same the hash will be the same.

Upvotes: 3

Related Questions