Introducing IdentityReboot
I’ve been a vocal critic of the Microsoft identity solutions. In their defense this is not a trivial subject, but I feel that they’ve not really spent the time or focus they need to to provide a fully robust solution given the putative standards for modern security. ASP.NET Identity v2 is the latest iteration in the history of their implementations, and while it’s the best so far I feel there are still major issues with the security of the implementation.
I’ve also been touting MembershipReboot as an alternative, but I have realized several issues related to its visibility and adoption. MembershipReboot is a fairly small open source project. It’s a completely different library than the one(s) from Microsoft. I’m the only main developer. I am not paid to work on it. I do not have a staff. I only have the barest of documentation (I know — shame on me). The only real support is via the github issue tracker. And perhaps most importantly it’s hard to gain notice amid the marketing behemoth that is Microsoft. Notice in this very recent video there is no mention of how passwords are stored or how their library actually provides any security; rather topics such as EF and Azure are discussed *rolls eyes*. So, I completely understand that many won’t consider or even notice MembershipReboot and will adopt ASP.NET Identity without knowing any better.
IdentityReboot
Despite this I’m still doing my best to make this space better. As such, I’m announcing IdentityReboot.
IdentityReboot is a set of extensions to ASP.NET Identity that implement the major missing features I’ve complained about (put up or shut up, right?). The code to do this is essentially the same code I have already implemented in MembershipReboot, but it’s been adapted to the ASP.NET Identity programming model. The master branch targets ASP.NET Identity v2, but there is a v1 branch for ASP.NET Identity v1.
The main features provided by IdentityReboot (targeting v2) are:
- Per-account adaptive password hashing (as discussed here)
- Login and two factor authentication code brute force prevention (as discussed here)
- Fix the issue with the time-based two factor authentication codes (as discussed here)
The various components provided are:
AdaptivePasswordHasher
The password hashing algorithm is pluggable in ASP.NET Identity, so IdentityReboot provides an AdaptivePasswordHasher class that implements the password stretching I described here.
The AdaptivePasswordHasher constructor allows a developer to indicate the number of iterations to use. If the iterations are not provided then it uses the year-based adaptive algorithm. It can then be configured on the UserManager.PasswordHasher property and it will be used when password hashing is needed by the UserManager.
The iteration count is stored in the hashed password string itself so there’s no schema change needed. Also the AdaptivePasswordHasher is compatible with passwords already hashed and persisted with the built-in password hasher from ASP.NET Identity. This means you can add this and your existing users hashed passwords will still work.
IdentityRebootUserManager
To implement brute force prevention for passwords and two factor codes, the logic from the ASP.NET Identity UserManager had to be replaced. To do this, IdentityReboot provides a UserManager-derived class called IdentityRebootUserManager.
IdentityRebootUserManager overrides the methods that perform password and two factor authentication code validation. If too many invalid attempts have been made within a window of time, then these validation methods fail not allowing the user to proceed. These values are configurable, but default to 5 attempts within 5 minutes.
To implement this brute force prevention, some data needs to be stored in the database. As such, a new store interface was introduced to persist the necessary data: IBruteForcePreventionStore. This interface models storage for the last date/time of the failed login and the number of failed attempts. This store interface pattern is consistent with ASP.NET Identity’s pattern to allow any storage implementation.
Also, by default, the IdentityRebootUserManager automatically configures and uses the AdaptivePasswordHasher mentioned above.
MobileStoredTwoFactorCodeProvider
To fix the issue with time-based two factor authentication codes, IdentityReboot provides a new token provider class called MobileStoredTwoFactorCodeProvider. This token provider is meant to replace those built-in with ASP.NET Identity and improves upon the time-based providers by generating a code that is valid for a window of time from the time it is generated (as opposed to fixed windows of time, as I describe here).
To achieve this, the MobileStoredTwoFactorCodeProvider creates a random code which is sent via SMS to the user. This code is also hashed and stored in the database along with the time the code was generated. The hash is necessary to thwart attackers that have access to the database. The time is used to ensure the user has a sufficient window in which to validate the token. The number of digits and the validity duration are both configurable, and default to 6 digits and a 5 minute window.
To store the pertinent data for the MobileStoredTwoFactorCodeProvider another new store interface was defined: ITwoFactorCodeStore. It models persisting the hashed two factor authentication code and the date/time it was issued.
IdentityReboot.Ef
Finally, there is also an IdentityReboot.Ef project that provides an EF-backed IdentityRebootUserStore that implements the two additional store interfaces and an IdentityRebootUser class which defines the properties needed for the new store interfaces.
Getting Started
To use IdentityReboot, you can either get started from the samples or you can create a new empty ASP.NET application and then add the “Microsoft ASP.NET Identity Samples” from the nightly builds (as documented here). There are also packages on NuGet here and here.
In your web project starting from the templates all that is needed is to reference the IdentityReboot assemblies and then make these changes:
- Change ApplicationUser to derive from IdentityRebootUser instead of IdentityUser (in ~/Models/IdentityModels.cs)
- Replace new UserStore with new IdentityRebootUserStore (2 locations in ~/App_Start/IdentityConfig.cs)
- Change ApplicationUserManager to derive from IdentityRebootUserManager instead of UserManager (in ~/App_Start/IdentityConfig.cs)
- Remove the two calls to RegisterTwoFactorProvider and replace them by registering the MobileStoredTwoFactorCodeProvider.
If you have an existing database then you will need to use EF migrations to update the database with the new schema for the new stored data.
The intent with IdentityReboot was to enhance the security of ASP.NET Identity with as few changes and disruptions as possible. Again, all of these are illustrated in the samples.
Feedback welcome.
Trackbacks
- Decaying Code | Community Update 2014-02-12 – Small day with only #aspnet and #elasticsearch
- An Interesting List of Development Stuff (February 2014) | rionscode
- Herding Code 187: Brock Allen on ASP.NET Security and Identity
- Exploring Thinktecture.IdentityManager as a replacement for the ASP.NET WebSite Administration tool - Scott Hanselman
- Thinktecture.IdentityManager as a replacement for the ASP.NET WebSite Administration tool - Scott Hanselman
- Monthly Industry Roundup: June, 2014
- Monthly Industry Roundup: June, 2014 | NMG
- An Interesting List of Development Stuff (February 2014) - Rion.IO
- ASP.Net Identity Security | code4cake
brockallen 
Hi! This means the end of MembershipReboot?? I’m building a security system to manage the security of all the enterprise apps and in my research i found MembershipRebbot, so i wanted to give it a try (but if it is going to be out i’m not sure about it). Thanks and sorry for my english!!
Not at all — MembershipReboot is still alive and well.
IdentityReboot is simply provided for those people stuck with ASP.NET Identity, but who want a more secure ASP.NET Identity.
Right now i´m authenticating against AD and custom users stored in sql with a custom password policy. It is not managed as i want and i wanted to ask you if membership reboot could help me and still be able to authenticate against AD and my custom users in sql. Thanks
I’d suggest looking at the MR samples on github to get a feel for what it can do for you.
That’s good to hear ;) since I already integrated my application with MR. And and made some adjustments to IdeintityServer to work with MR.
Hi Rony,
Which version IdentityServer (Version 2 or Version 3) you adjust with MR ?. Brock is there way to adjust MR with Identity version 2 ?
Yes, there’s a sample for MR and IdSvr2 on github.
Thanks Brock, I found a sample is great, if i need to implement as sample in IdentityServer v2 – Website should i just create similar class (IdentityRepository) as in sample or change the code in the “web project’s Controllers\InitialConfigurationController.cs and on line 152″, membershipreboot require email address. Furthermore, it need changes in configuration file :
userManagement=”MembershipRebootUserRepository.IdentityRepository, MembershipRebootUserRepository”
userValidation=”MembershipRebootUserRepository.IdentityRepository, MembershipRebootUserRepository”
claimsRepository=”MembershipRebootUserRepository.IdentityRepository, MembershipRebootUserRepository”
clientCertificates=”MembershipRebootUserRepository.IdentityRepository, MembershipRebootUserRepository”
inside the website ?. Is there other places need to change to run memershipreboot in IdentityServer v2 web site ?
For more involved and/or technical discussions related to IdentityServer, I’d suggest opening an issue on the github issue tracker.
It’s being overlooked because we expect Microsoft to improve security – it has – sllooowwwly. So even though MembershipReboot , IdentityReboot will improve security I’m just needing to put this legacy app behind some federated identity server. Most will create a pluggin for adfs – http://blogs.technet.com/b/cloudpfe/archive/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-3-0-part-2.aspx or if they want a more customized process will plug your identity server and call it a day. So maybe package IdentityReboot as part of identity server and there will be faster adoption ?maybe?
make identity server – federated server only
and make identity reboot an identity provider that extends the membership system with these extensions.
and then create an identity provider without these extensions like what is already built into identity server.
as for me:
old systems i would choose the original . new installations i would go with identity reboot if i wasn’t forcing users to use openid.
also in April 2014 – microsoft is shipping “ASP.NET Identity Two-Factor Auth” – http://channel9.msdn.com/Series/Building-Modern-Web-Apps/01 00:34:23
Well, we’re working on IdentityServer v3 and we will be using MR as part of it.
Thanks for this! I’ve been reading your past few posts on MembershipReboot and I’m glad to see some of these features available on top of ASP.NET Identity v2. Ideally, the MS identity code would be open source (supposed to get there eventually) and you could contribute your enhancements, but this is a nice trade-off in the meantime.
sorry to tail this post with this question. But i’m trying to understand if we can use any of the Identity feature, without using Entity Framework. I’m new to Web development, and I don’t want to use EF. I’ve been learning how to interact with my database, using Micro ORM’s. So, I’ve already invested time in creating a functional back-end database to call against. However, I know need to authenticate users, both from the web and from a mobile web api via Web Api 2. Do any of your examples, show how this can be done?
Check the ASP.NET Identity docs: http://www.asp.net/identity
yeah, scanned through these, and there nothing on there (perhaps not looking hard enough), that shows me how to configure without using EF. I have my tables, just want to take advantage of the Owin middle ware in MVC 5
Yea, sorry — MSFT’s doing a bad job of documenting how to extend their framework. I learned it by decompiling their source code.
It seems IdentityConfig.cs is no longer included in App_Start, or any, folder of Visual Studio 2013 projects. How does this affect the installation/utilization of IdentityReboot?
I just looked and it is there. You need to “include prerelease” in NuGet and use the “Microsoft ASP.NET Identity Samples” from the WebStack Nightly builds from http://www.myget.org/f/aspnetwebstacknightly/. You can also inspect the sample app in github as an example.
First, thank you. You may think you are working on this code in the wilderness but there are a lot of folks who look to your expertise when trying to implement a better login solution. So, please keep at it – hopefully MS will take notice.
Quick question: As a fairly new (inexperienced) MVC developer creating a web application from scratch for a client, would you incorporate MembershipReboot or IdentityReboot?
You can use either. MR has more features than ASP.NET Identity. IR helps make ASP.NET Identity as secure as MR. Also, IR is still beta, since ASP.NET Identity is beta. MR is more mature.
Hey Brock,
the beta2 release of Identity V2 looks pretty similar to your IdentityReboot. You’re now helping out Microsoft with your solution?
Thanks a lot for your efforts, I’m a .Net beginner and your examples are really really helpful!
Best wishes
I think you mean that ASP.NET Identity looks pretty similar to MembershipReboot, no?
Anyway, thanks.
Sorry I formatted it the wrong way! of course i meant it like that!
One of my requirements is multi-tenancy. I found this article based upon that keyword. So after reading the discussion I am wondering if IdentityReboot will have the same multi-tenancy features as MembershipReboot.
IdentityReboot extends ASP.NET Identity and as such it isn’t changing the fundamental architecture. So no, IdentityReboot does not add multi-tenancy to ASP.NET Identity.
MembershipReboot, though, does support multi-tenancy: https://github.com/brockallen/BrockAllen.MembershipReboot/
Do you think it would be a good idea to change the IdentityUser pkey from a string to a Guid? ie. so it gets created as uniqueidentifier instead of nvarchar(128) in the db…
Since you are already implementing IUserStore etc I guess it would be easy to build this into IdentityReboot, of course if it is actually better practice (as I think so, specially for FKeys to user table)
This would be up to you. I don’t really have a strong opinion about it either way.
Just did some more work and extending Identity to use a Guid or int is really easy, more so since your implementation is very clean. So you’re right, no need to change anything in IdentityReboot. thanks
Fantastic work.Thanks so much for sharing, I totally appreciate it!
Hi, great work. Is it possible for a user to change their email address with IdentityReboot (and have their new email address require confirmation)?
No, this is a feature that will (sort of) be built into ASP.NET Identity v2.
Hi,
This is great… I have 2 questions…
Is there a way to disable cookies and not rely on them at all?
Is there a way to not use EF?
Thank you much!
Stefan
An identity management and authentication library stores identity info in a database. The cookie you’re thinking about, I think, is if you’re doing identity management library in the context of a browser based app, and cookies are used to track the logged in user.
ASP.NET Identity allows for any store you want to implement.
Hi. Great work with IR and MR. Watched the http://channel9.msdn.com/Series/Building-Modern-Web-Apps/03 video and not much attention is given to the common issues with the old implementations and what the new model actually provides in a real world scenario (not just registering and logging in and out of FB etc). I have been looking to start a SAAS application and a good platform/starting point for implementing a multi-tenant membership management solution. Does both IR and MR provide a Multi-tenant implementation/usage? I don’t see any samples on the multi-tenant option/switch in MR and how to use it but would appreciate any recommendations and pointers to get it going.
MR supports multi-tenancy. IR does not, since ASP.NET Identity does not.
Hi,
Are you planning to implement a web-api sample with bearer token with two-factor authentication in the near future?
We will be implementing that in IdentityServer v3, which is open source.
1000 (y) s for that, thanks!
Can this easily work with Model First (how) or does it also require Code First like Identity does? Thanks!
If you already have your own DB then you would need to implement all of the store interfaces needed by ASP.NET Identity.
As far as IdentityReboot is concerned, it just layers on top of ASP.NET Identity and doesn’t care how you’re building your database.
Thx Brock. Why do I need my own store interfaces if using EF6 Model First and an existing database? Can I not just manually add the Identity tables to my existing database using scripts created from a database created by a VS2013 Code First solution?
Sure, that would work I suppose. It just sounded like you already had tables for users and passwords, so I thought you meant you wanted to use your existing schema and data.
We are using SimpleMembership now but have a very small number of users and since planning on opening to external users, want a useful and secure MemberShip provider. We are willing to use Identity or IdentityReboot but since Identity is so oriented toward Code First, and there was no doc on how to use it with Model First, we did not know how to start. Especially with things like that the User inherits from IdentityUser (or IUser) which you cannot do with Model First. Would love to see one of your articles address how to use Identity and ergo IdentityReboot, with Model First as I believe that the Model First approach to EF is used much more often than Code First though the latter seems to be getting all the attention lately. I view Database First merely as a variation of Model First. Thanks, Dave
Personally, I dislike ASP.NET Identity and its programming model, so I don’t plan on writing any more posts on how to use it. Sorry.
Ya I don’t like it much so far either…we are just going to stick with SImpleMembership for now and let all this stuff sort itself out. Thx.
I cannot get the rememberBrowser to work when using twofactor authentication. The expected result (n my opinion) is to bypass de second login pass (email code) once and for all after the first sucessfull time. However, this is not what happens when I close Internet Explorer 10 and open it again: the second login pass always happens. Can you give some advice here? Thank you
You need to issue a persistent cookie that represents the fact the user has done the 2fa login on this browser. See the templates for more info.
Hi Brock.
I trust you are well.
I have a requirement whereby I need to create a generic user admin tool to be used by administrators of different applications. My question is your membershipreboot multi tenancy will it help in this regard? especially in differentiating administrators and their respective users they manage.
You might want to look into IdentityManager: https://brockallen.com/2014/04/09/introducing-thinktecture-identitymanager/
It’s early, but we’re working on it.
Hi Brock.
I trust you are well.
I have a requirement whereby I need to create a generic user admin tool to be used by administrators of different applications. My question is your membershipreboot multi tenancy will it help in this regard? especially in differentiating administrators and their respective users they manage.
Maybe this does what you need? https://brockallen.com/2014/09/08/thinktectre-identitymanager-beta-1/
Hi,
Thanks very much for your solution. Can you tell me where/when I should be populating the claims? I could do it in the Login Account Controller action but that feels unclean to me.
I’m a bit surprised you haven’t demonstrated this aspect of the framework as it’s a great feature.
Thanks
John
Login is where you identify the user, so this is where you load the claims.
Hi Brock.
will you be adding features like multi tenancy and more samples for other providers.
No, sorry — multitenancy would require Microsoft to change their API. MembershipReboot supports multitenancy, though, so if you need it look into that project instead of using ASP.NET Identity.
It’s quite amazing that two guys (who obviously are not your off the mill guys) could create such rich environment for solving authentication and authorization problems. It’s even more amazing that ThinkTecture’s offer is clearly being used as a model for Microsoft’s new development (http://blogs.msdn.com/b/webdev/archive/2014/03/20/test-announcing-rtm-of-asp-net-identity-2-0-0.aspx) and is both richer and easier to use than either Microsoft’s or Ping Identity, company I am following for more than 6 years.
While my intro paragraph may be perceived as “pumping sunshine”, my intent is to indicate how the amount of information has reached the tipping point where there is a need for a “hitchikers guide through thinktecture” page.It may be just me who would benefit from such information (assuming that is constantly maintained to stay current), as I find myself rereading everything and am still left wandering what should I use in a given situation.
I noticed one good soul (Peter Mbanugo) taking care of some nuget packages and documenting how to start with MembershipReboot – but we need more and that should be well designed before starting to do it.
Yep, your point is well taken (and well known). Thanks for the feedback.
Hi Brock, great work! One doubt, though. Imagine I’m going to develop some sort of enterprise cloud software. Some SaaS platform, using ASP.NET MVC. I think, for what I’ve read, MR is the way to go, as oposed to ASP.NET Identity and IdentityReboot, right?
I’d agree with that.
Thought so. Cool. Thanks and once again, great job.
Hi Brock
First things first. I am an ardent follower of your amazing work and being a novice I do not like to get into implementing own security. I have used both MR and IR.
I am working on implementing Multitenancy with IdentityReboot. I am skeptical on implementing Membership since Microsoft moved to Identity. I have managed to implement Mutitenancy of sorts by adding/modifying a few things here and there. And frankly, though MR is very smooth with built in support for multitenancy, I think the option is very much open with IdentityReboot as well.
Cheers
Hi,
Is IdentityReboot supported by IdentityManager?
Thanks
Sure. I guess the better way to say this is that there’s nothing special about IdentityReboot that prevents it from being supported (since IdentityReboot just layers on top of ASP.NET Identity).
Thanks a lot.
So IdentityReboot.EF adds no extra schema to the SQL DB?
It does if your user class derives from the IdentityRebootUser base (which has HashedTwoFactorAuthCode and DateTwoFactorAuthCodeIssued). But that’s optional if you want the storage based two factor auth codes (as opposed to the OTOP implementation key’d by the security stamp).
Brock I am a novice with asp.net, but didn’t like the membership provider framework very much when I tried to work with it. I am using vs 2012 at this time, .net 4.51. I’ve read enough here and there to have decided to explore mr instead of ir.
The project I am designing now is multi-tenant. That usually means (as far as I know) that one login account is associated with one organization account (right?) I will need to allow a single login to be able to be associated with more than one org account. So if I have a user account on the site, it will allow me to use the website to manage widget deliveries for Company A, and Company B (two distinct tenants) but not for Company X, which my account is not associated with.
Is that kind of feature built in to mr? If not I’m hoping it wouldn’t be too hard to adjust it to support this capability?
I have not even tried to use mr yet…
Question #2, are there UI features in membershipreboot? I mean did you include any UI elements to manage users, roles, permissions etc?
Multi-tenant just means that you can have two different users with the same username in the same database — the tenant identifier is just a discriminator. But it’s up to you to define what “tenant” means and how to use it in your app.
MR needs certain UI pages (login, password reset, etc) but it does not provide those — it’s up to your hosting app to build them. Those pages would then call into MR as needed. There are samples of what those pages might look like on the github repo.
Hi Brock. Thinktecture is awesome.
I am new to ASP.Net Identity. I just want to add user management in my ASP.Net MVC 5 application with EF and it is hosted on IIS. I have an admin panel through which i would like to call user management pages. Could you please guide me on how can i implement thinktecture into my existing MVC 5 application. Many Thanks
If all you need is a simple user management tool that admins will be using, then consider IdentityManager:
If the user management is meant to be self-service, then you need to build that yourself. The ASP.NET template is a good starting point for that.
Really nice work.
For now I’ve just quickly integrated IdentityReboot into my MVC project and that achieves my first target of better password hashing. Have checked out IdentityServer 3 and all I need to complete my understanding is seeing an MVC5 sample with registration and user management UI examples.
Some great work here.
Thanks.
Thanks
Why Thinktecture IdentityManager screen missing links to “All Users” “New User” “Roles” “New Role” and “Local User” next to Thinktecture IdentityManager ? Thanks
Not sure, but probably security related. I just posted some walk thru videos to help you get started: https://brockallen.com/2015/04/20/walk-through-videos-for-identitymanager/