The following presentation was delivered at Microsoft Code Camp 9 in Waltham MA and Titled What's Auth Got to Do with it? Developing Multi-Factor Solutions with Microsoft .NET. This presentation is property of CodeRight Inc and can be freely distributed for educational purposes.This presentation is comprised of 2 parts: First I'll review what issues MFA addresses and Multi-Factor Authentication typicallyis then SECOND an example of integrating a Multi-Factor solution into a .NET Web Application.
Multifactor authentication (MFA) is a Authenticationsystem in which more than one form of authentication is implemented to verify the legitimacy of a transaction. Multi-Factor Authentication is used to prevent and combat Web Site Forgery. More specifically it attempted to address: Cross Site Scripting, Phishing, Pharming, and "Man in the Middle" attacks. (Now I won't go into formal definitions of each as you can find out more information on Wikipedia)
So, Let's take a closer look at what is considered to be a factor of Authentication:Typically we use Login and Password (which combined is considered a single factor)However over the years other forms authentication have been used such and each can be categorized in the following way.
User HAS ID card Security token Software token Phone, or cell phone User KNOWS password pass phrase or PIN
Multi-Factor Authentication Multi-Factor Examples? e-Commerce: Yahoo!, Amazon Financial: DiscoverCard, ING Direct How do you incorporate MFA into .Net Roll your own Integrate with 3rd party products: Tricipher, RSA, or Entrust Build a Custom Provider
Multi-Factor Authentication Some of Today’s Options
Membership Provider What is a Provider Model and how/where is it used? Design Pattern used extensively throughout .Netthat enables developers to abstract data store(s) from the application Enables the creation or use of presentation controls to “snap-in” to “any“ type of data store Examples of Usage: CreateUserWizard Control, Login, LoginViewetc.
What is the Membership Provider Model Great example of Abstract Class in Action! Definition of What Methods to Expect (Abstract Class) Controls that Expect those defined Methods being implemented (CreateUserWizard, Login, LoginView) Implementation of those Methods (Custom Provider)
Deploying SQLMembershipProvider Run - aspnet_regsql.exe Create a webpage, Add Login (or other) LoginView. Configure
Summary Defined Multi-Factor Authentication Defined a Membership Provider Reviewed OOB SQL Membership Provider Detailed how to create a Custom Provider to a Tricipher Armored Credential System (Vault)
Questions or Job Offers ? Email: Bryan_Tuttle@CodeRight.com