9

I have a requirement in my web application, that I need to register a user with their phone number instead of email and password.

The system should take the input of the user's phone number and send an OTP SMS to that phone number. If the OTP matches, I need to create user.

I tried 2FA with asp.net identity, but it works only when the user is already registered and the phone number is updated in the user table.

Can someone kindly help me.

Thanks in Advance.

Tarak

Tarak
  • 171
  • 1
  • 14

2 Answers2

0

You will have to use a paid sms link given by sms provider to send text to particular phone number.

For e.g - When a user register on your site , his/her number will be inserted in the database and an OTP will be created and inserted against that phone number , the link will be use to send OTP to the following phone number. So during login the user will be asked the otp and if the otp he/she got on mobile matches with the otp from database then the login would be successful. I don't think there is any method to send text to a phone number like that . You will have to use some paid sms provider link or something like that . I hope i have answered your question.

Maviya Qureshi
  • 26
  • 4
0

ASP.NET (Core) Identity assumes the user is already registered before it can generate an One Time Password. The reason for this is that ASP.NET Identity uses the user's SecurityStamp (a random string) which is part of the generated TOTP. I'm still not 100% sure what the best solution is. Here my 2 cents:

  • Create a user with "minimal" information (like only the phone number and a SecurityStamp) at the first signup contact and then leave the rest of the TOTP generation to ASP.NET Identity. This may leads to orphaned/incomplete users (if e.g. the users don't complete the signup process).
  • Use PhoneNumberTokenProvider to GenerateAsync a TOTP and ValidateAsync to verify it later on. As you'll see, GenerateAsync and ValidateAsync require a User object - from which it reads the SecurityStamp. Number 1) Be careful: Don't provide public or guessable strings as SecurityStamp. I've seen implementations which use SHA(PhoneNumber) hashes as SecurityStamp. This is predictable and an attacker could generate his/her own TOTP. Number 2) You will need the same User.SecurityStamp for the GenerateAsync as well as for the ValidateAsync process. So, there is (probably?) no other way than storing the SecurityStamp somewhere...
  • Any other ideas highly welcome...
thomasgalliker
  • 558
  • 4
  • 15