Reputation: 1171
What is max expiry for ASP.NET Identity Two Factor code?
I'm trying to find out what is the max value for a two factor authentication code from ASP.NET Identity 2.1.
I have tried setting the following:
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(60))
but the code isn't good for that long, so I'm wondering if perhaps this is the expiry for the cookie itself and not the code it contains. I'm wondering if there is a technical limitation to how long the verification code can last, based on how it is generated.
All of the examples simply stick with 5 minutes, so I'm wondering if this is the actual limit. I read somewhere that there is an extra 90 second allowance on top of the 5 minutes, and so that seems to be around what I am getting.
I noticed this question (ASP.Net Identity 2, Two Factor Security Code timespan) was looking to do the same thing, but there wasn't an accepted answer and it is almost 1.5 years old, so thought I'd ask from a limit point of view before I bother trying to change it according to that answer.
Upvotes: 2
Views: 5128
Answers (2)
Reputation: 2058
You are right the code you wrote only changes the cookie timeout.
You can change the expiry time using the code in the answer to the question you mentioned in your question or similarly do this in you UserManager Constructor:
IdentityFactoryOptions<UserManager> options = new IdentityFactoryOptions<UserManager>();
var dataProtectionProvider = options.DataProtectionProvider;
if (dataProtectionProvider != null)
{
this.UserTokenProvider = new DataProtectorTokenProvider<AppUser>(dataProtectionProvider.Create("ASP.NET Identity"))
{
TokenLifespan = new TimeSpan(0,10,0)
};
}
However that's not enough. you must also change the cookie timeout, like you wrote in your question, in your StartUp file like this:
UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(10));
This worked for me.
Upvotes: 1
Reputation: 1171
Looks like the answer is no, I can't change the expiry on that code.
The underlying token provider is TotpSecurityStampBasedTokenProvider, which uses Rfc6238AuthenticationService, which internally, if I am reading it right, hard codes the expiry to 3 minutes, with up to a max 90 second time variance.
I'm thinking the expiry I changed only changed the expiry on the cookie containing the two-factor code, not the code expiry itself. We validated that, as the error message you get back for when the code expires with a valid cookie is different from the error you get back with an expired code and an expired cookie.
I just think it is supremely disappointing that this isn't explained better in the help text for the UseTwoFactorSignInCookie call.
Upvotes: 7
Related Questions
- ASP.NET MVC Identity - how to change format of generated Token in SMS
- ASP.NET Identity - HttpContext has no extension method for GetOwinContext
- What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?
- Why do the ASP.NET Identity interfaces use strings for primary and foreign keys?
- is it possible to disable two factor authentication in asp.net Identity?
- ASP.NET Identity 2.1 2FA configuration
- ASP.Net Identity 2.1 alpha SignInManager.GetVerifiedUserIdAsync invalid cast