Two factor authentication support in MembershipReboot
In MembershipReboot, I just checked in support for two factor authentication (via mobile phone SMS messages). This also means that there’s now specific support for associating a mobile phone number with a user account. Turns out this is just as tricky to verify as validating that a user owns an email account.
In any event, a user can now associate a mobile phone with their account, safely change the mobile number associated with their account and then based upon this enable their account for two factor authentication. I updated the SingleTenantWebApp sample to illustrate usage (and even implemented Twilio as the back-end SMS provider).
I’m quite happy I was able to get this feature in. Feedback welcome.
Edit: I spent the rest of the day adding one more related feature: Optional browser registration. This means that the first time you use a specific browser to authenticate you will need to do two factor authentication, but subsequent authentication from the “registered” browser will not need the two factor auth code. The default implementation of this policy will remember the browser “registration” for 30 days and will automatically revoke all registrations if the password is changed. The intent of this feature was to behave like google’s two factor auth where once you’ve logged in with a browser you don’t need to keep entering a code from your SMS. It’s an optional tradeoff between security and usability/convenience. Enjoy.