What is max expiry for ASP.NET Identity Two Factor code?

Question

User1258583647 posted

I'm trying to find out what is the max value for a two factor authentication code from ASP.NET Identity 2.2.1.

I have tried setting the following:

app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(60))

but the two factor code isn't good for that long, so I'm wondering if perhaps this is the expiry for the cookie itself and not the code it contains. I'm wondering if there is a technical limitation to how long the verification code can last, based on how it is generated. Basically, I have users who get delayed emails longer than 5 minutes, so I increased this time thinking it would make the code last longer.

All of the examples simply stick with 5 minutes, so I'm wondering if this is the actual limit. I read somewhere that there is an extra 90 second allowance on top of the 5 minutes, and so that seems to be around what I am getting.

If the limit should be greater than 5 minutes, am I simply setting it in the wrong place?

Answer 1

User-284744251 posted

Following link should help for Two factor authentication

https://aspnet.readthedocs.io/en/1.0.0-beta7/security/2fa.html

Answer 2

User36583972 posted

Hi chrismikec,

The following links for your reference.

1: In the  App_Start\IdentityConfig.cs file sets the tokens to expire in 3 hours.

Account Confirmation and Password Recovery with ASP.NET Identity (C#):

http://www.asp.net/identity/overview/features-api/account-confirmation-and-password-recovery-with-aspnet-identity

2: ValidateInterval and ExpireTimespan.

ASP.NET-Identity-Cookie-Authentication-Timeouts:

http://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/

3: Adding two-factor authentication to an application using ASP.NET Identity:

https://blogs.msdn.microsoft.com/webdev/2014/02/18/adding-two-factor-authentication-to-an-application-using-asp-net-identity/

Best Regards,

Yohann Lu

Answer 3

User1258583647 posted

I don't mean to be rude here, but these forums really frustrate me. Did you even read my question? I obviously know how to set up two factor verification. All I want to do is change the amount of time the two factor verification code is good for. That link in no way helps me with this.

If you see something in that link that anywhere comes close to answering my question, feel free to point it out.

Answer 4

User1258583647 posted

Much like the previous answer, I fail to see how this answers my question at all. None of these links talk at all about how to change the expiry of the two factor verification code.

The third link at least mentions how to set the expiry for the two factor code, but, as you can see from my question, I am already calling it like that. The example in the link sets it to 5 minutes and, as I mentioned, I want it to be more than 5 minutes. However, when I change that given code, it does not seem to change the expiry.

Am I missing something here?

Answer 5

User36583972 posted

Hi chrismikec,

You can refer the following Startup file to configure OWIN authentication. It may help to you.

OWIN authentication:

http://world.episerver.com/documentation/Items/Developers-Guide/Episerver-CMS/8/Security/owin-authentication/

Best Regards,

Yohann Lu

Answer 6

User1258583647 posted

Again, Yohann, I see nothing in there that helps me with my problem.

As I stated before, I understand that the usual setting is 5 minutes, and I can see on that link you sent me they use 5 minutes too.

HOWEVER, I see no mention of anything to do with increasing this value beyond 5 minutes.

Is there, or is there not, a limit of 5 minutes on this? If not, what is the limit?

Chris

Answer 7

User36583972 posted

Hi chrismikec,

I have found that you can increase the max expiry time for the email confirmation.

The following code change in the Create method (in the  App_Start\IdentityConfig.cs file) sets the tokens to expire in 30 minutes.

if (dataProtectionProvider != null)
 {
    manager.UserTokenProvider =
       new DataProtectorTokenProvider<ApplicationUser>
          (dataProtectionProvider.Create("ASP.NET Identity"))
          {                    
               TokenLifespan = TimeSpan.FromMinutes(30)
          };
 }

Account Confirmation and Password Recovery with ASP.NET Identity (C#):

http://www.asp.net/identity/overview/features-api/account-confirmation-and-password-recovery-with-aspnet-identity

Best Regards,

Yohann Lu

Answer 8

User1258583647 posted

Thanks Yohann, but as I said, I want the expiry for the two factor code, not the email confirmation.

Answer 9

User1258583647 posted

Looks like the answer is no, I can't change the expiry on that code.

The underlying token provider is 

TotpSecurityStampBasedTokenProvider

, which uses 

Rfc6238AuthenticationService

, which internally, if I am reading it right, hard codes the expiry to 3 minutes, with up to a max 90 second time variance.

I'm thinking the expiry I changed only changed the expiry on the cookie containing the two-factor code, not the code expiry itself. We validated that, as the error message you get back for when the code expires with a valid cookie is different from the error you get back with an expired code and an expired cookie.

I just think it is supremely disappointing that this isn't explained better in the help text for the 

UseTwoFactorSignInCookie

 call.