DEV Community

Cover image for Deep Dive: Multi-Factor Authentication with .NET 5
Mohamad Lawand
Mohamad Lawand

Posted on

Deep Dive: Multi-Factor Authentication with .NET 5

In this article we will be exploring MultiFactor authentication, how does it work and how we can integrate in .Net 5.

You can watch the full video on YouTube

So what we will cover today:

  • The Problem: Security issues
  • What is Multi Factor Authentication
  • How does it work?
  • Benefits of MFA
  • How does it all fit together
  • What algorithms is used and how the code is generated?
  • QR code and its properties
  • Ingredients
  • Code and Implementations

As always you will find the source code in the description down below. Please like, share and subscribe if you like the video. It will really help the channel

Security Issues

When we create an account for any online service, we will have a username and a password to secure our account and make it private to us. But in this modern day this type of protection is not enough as we hear on weekly basis of new hacks and new leaks of credentials.

And if our account has been leaked or hacked this could lead to serious problems and issues. As most of us connect everything to our accounts from, payment information to address to mobile numbers ... Major hacks and leaks includes companies like

  • Adobe
  • Ebay
  • Canva
  • Equifax
  • LinkedIn
  • My Fitness Pall
  • Yahoo

So how can we secure our account further and make sure our accounts are secure even if our credentials are leaked online. Multi factory authentication comes into play.

Multifactory Authentications

Its the process of identifying a user by a combination of methods like:

  • Credentials + 1 time password
  • Credentials + Biometric
  • Credentials + Biometric + 1 Time password
  • Credentials + Machine restrictions

Benefits of MFA

  • It assures consumer identity.
  • It meets regulatory compliances.
  • It complies with Single Sign-On (SSO)
  • It adds next-level security, even remotely

How does it fit together

  • Once the user register and confirm their email address
  • They will able to activate 2 factory authentication
  • Once they click on activate they will see a QR Code
  • Using the authenticator app on their mobile devices, they will be able to scan the QR code
  • Once they scan it, the autneticator app will generate a code
  • Every 30 sec the app will generate a new code which they will be able to use on loggin in

Code Generation

MFA using TOTP (Time-based One-time Password Algorithm) which is a supported implementation using ASP.NET Core Identity. This can be used together with any compliant authenticator app, including:

  • Microsoft Authenticator App
  • Google Authenticator App

To understand how the code is generated we first need to understand 2 things HOTP and TOTP.

HOTP: HMAC based - One Time Password algorithm.

TOTP: is HOTP but with counter/sequence is time based

So in order for us to understand how TOTP work we need to understand how HOTP work.

HOTP overview

  • Our phone and the server keeps track of the secret and a counter value which set at 0
  • When ever we get a new value our counter value goes up
  • When we input the code to the server it check whats the code is
  • if the code matches we log in and it updates the server counter value
  • if we generate a code and dont send it to the server our counter value will be much higher then the server
  • In this case the server will check our code again the next counter value and finds it invalid
  • it will have a 5 window look ahead to see if it could be one of them
  • if there is a match the server will move the look ahead window by 5 to the matched counter value and logs us in
  • if our local counter is too far then we have out grown the server look ahead window and we need to reset 2FA
  • Servers will not accept a value lower then a one which they have already accepted

TOTP Overview

TOTP is very similar to HOTP except its time based, the setup in an authentication app is the same the only difference is that the code is based on the current time instead of a sequence value.

The sequence value utilised in TOTP is derived from the current unix time (which is the number of seconds since January 1st 1970. and the gap between code is usually 30 sec.

We divide the unix time by that gap, we round it down and we get the current sequence value we pass the sequence value to the same code generation function HMAC-SHA-1 which will provide the code for the current time

Authentication apps will need to repeat this process to generate new TOTP code every 30 sec.

The validation for TOTP code is a bit different from HOTP. The authentication server will check if the code is within a certain window of the current time typically a few minutes. if its within that window its allowed. to prevent code reuse the server will save the code of the last utilised code and require any subsequent login attempt to use a code after that time

Alt TextAlt TextAlt Text

How is the Code generated

  • How exactly the code is being generated
    • Utilising HMAC-SHA-1 is key, each MAC func is used to verify the authenticity of a signed message they take 2 parameters a secret and a message
    • HOTP use the HMAC function with a secret from the sever and the and counter value as the message
    • since each HMAC function utilise the underlining hash function SHA-1 in our case ⇒ the output is 160 bits or 20 bites long. since the HOTP code is usually 6-8 char the long output of the HMAC function needs to be truncated into a smaller number of digits. the numeric value is devided by 10 to the power of digits and the remainder is the code value.
    • the truncation of the HMAC function to the code value is accomplished by Dynamic truncation (which is a very complicated process)

QR Code

How is the secrets being sent from the app to the server.

  • All of the parameters and secrets are combined to a single QR code or a link, the QR code encode the link data


  • Type: Algorithm type: TOTP
  • App Display Info: show the information about the code in the auth app
  • Secret: the shared secret between the server and the auth application
  • Issuers: The application name running on the server

Alt Text


VS Code (

Dotnet 5 SDK (

Code time

To utilise MFA inside our application we need to enable identity our application, the steps will take are as follow:

  • Create the application
  • install code generator tool
  • add support for Razor pages inside our MVC application

- install some supporting packages

We will start by checking our dotnet SDK

dotnet --version 
Enter fullscreen mode Exit fullscreen mode

we need to create our application

dotnet new mvc -n "MFACode" -au individual
Enter fullscreen mode Exit fullscreen mode

The first thing we need to do is to enable Razor pages in our application, to do that we need to go to the startup class in the root folder and add the following inside the ConfigureServices method

Enter fullscreen mode Exit fullscreen mode

In order to utilise the asp-net-codegenerator we need to install the tool using the following command

dotnet tool install -g dotnet-aspnet-codegenerator
dotnet tool install --global dotnet-ef
Enter fullscreen mode Exit fullscreen mode

Once the tool is installed we need to install some package so our application will be able to utilise identity.

dotnet add package Microsoft.VisualStudio.Web.CodeGeneration.Design
dotnet add package Microsoft.EntityFrameworkCore.Design
dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore
dotnet add package Microsoft.AspNetCore.Identity.UI
dotnet add package Microsoft.EntityFrameworkCore.Sqlite
dotnet add package Microsoft.EntityFrameworkCore.SqlServer
dotnet add package Microsoft.EntityFrameworkCore.Tools
Enter fullscreen mode Exit fullscreen mode

We need to run and build the application to check everything is still running

dotnet build
dotnet run
Enter fullscreen mode Exit fullscreen mode

Once all these packages are added and the tool is generated we can check the csproj file to make sure all of the package are there. Now that everything is ready we need to run the command to Scaffold the Identity

dotnet aspnet-codegenerator identity -dc MFACode.Data.ApplicationDbContext
Enter fullscreen mode Exit fullscreen mode

we can use —useDefaultUI will generate the basic version of the Identity library for more information please find the link in the video description.

Top comments (3)

jgerle profile image
Jan Gerle • Edited

Thanks for sharing, Mo! This classic MFA approach relies on passwords, which are indeed inherently bad and need to vanish asap tbh. OTP tokens are an improvement, but they are still phishable (can be used on a fraudulent website). The most up-to-date, phishing-proof and really convenient MFA standard is WebAuthn. Have you considered implementing that?

moe23 profile image
Mohamad Lawand

I have read about them, but I haven't implemented it yet. Maybe this could be an interesting topic for a future video :)

justjordant profile image
Jordan Taylor

I always enjoy your posts. As a beginner In the world of the .Net ecosystem, these are very helpful!