Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

ASP.NET Identity

Download

Right click “Save as…”

Slides (view online)
  • MP3 (Audio only)
  • MP4 (iPhone, Android)
  • High Quality MP4 (iPad, PC, Xbox)
  • Mid Quality MP4 (Windows Phone, HTML5, iPhone)

 ASP.NET Identity is a totally rewritten framework that brings the ASP.NET membership system into the modern era. ASP.NET Identity makes it easier to integrate different authentication systems such as local username, password as well as social logins such as Facebook, Twitter etc. It also gives you greater control over persisting data to your backend technology of choice. ASP.NET Identity is a game changer by bringing in more modern authentication systems such as Two-Factor Authentication. You can use ASP.NET Identity to secure Web Apps as well as Web APIs.

Follow the Discussion

  • Thanh NguyenThanh Nguyen

    I would like to join and understand more about ASP.NET Identity.

  • Where can I download the source code for this demo

  • @pvj12, you can download sources from https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/

    https://github.com/rustd/FBLogin

    You can follow tutorials at http://www.asp.net/identity/

  • @Thanh you can learn more about ASP.NET Identity at http://www.asp.net/identity

  • CaesarCaesar

    Hi Pranav,

    i think asp.net Identity is a very strong System.
    There is only 1 think i don't understand.
    Building the role Management.
    Is there a source or a tut to build it up from out of the box mvc Project?

    p.s. there is a question so 1+ jumping jack :-)

    Best regards

  • Pedro DiasPedro Dias

    Great talk,Pranav!

    Last question:
    How does this fit into aad? Can I create and manage users there using the same Interfaces that you demoed? Feels kind of old to store users and metadata in a database/tables when aad has that infrastructure ready and available. If I understand it correctly, what I am asking for is an Identity implementation that sits on top of the azure ad graph api?

  • Two-Factor authentication must comply, at least:

    1) "something only the user knows" (aka password)
    2) "something only the user has" (for instance, a token device)

    Two-Factor authentication with phone or email ARE NOT effective because communication can be "known" by the service provider. Phone and email are not "something only the user has"

    A token-code generated by a Mobile App works well, but the "secret seed" (which is needed for generate token-codes) must be encrypted using a PIN code. This PIN can be seen by a third person while you are typing into your Mobile device.

    Hardware tokens (OTP: One.Time Password) are more secure because the "secret seed" is stored in a secure memory, no-one can see this secret key. Those devices are used by users of banking and financial systems to access their accounts.

    OTP also are used for login into a Cloud (for instance Amazon AWS).

    By other hand, Why Banks & Financial Services do not implement login using social networks? Can you trust social networks to access your money? Consider the recent security issues of some social networks.

  • @Caesar:If you download the Microsoft.AspNet.Identity.Samples NuGet package then it shows you how to do basic role management

  • CaesarCaesar

    THX Pranav.
    i think i got it.

    @carlospinedag:
    Be cool man.
    Two-Factor authentication ist better for Secure than One-Factor.
    Social-Login is also good cause you can secure your client Information without Buying any expensive SSL Certification.
    Microsoft facebook etc. have more Manpower to secure there plattforms wich also means your WebApp if you use SocialLogIn

  • CaesarCaesar

    @rustd:
    Last Question: is it possible to split AspNetUsers table and store users

    from a-l in one table
    &
    from m-z in second table

  • ThomasThomas

    Microsoft should fire these ridiculous clowns. I'm here to see if is there any progress in this half baked identity system... but I only found bad jokes and someone with zero experience in real world applications

  • @Caesar:
    The pillars of security are a strong authentication followed by a fine grained authorization. But the most important factor is "to be paranoic".

    Both email and phone are not trusted communication channels for two-factor authentication.

    Talking about costs... identity services are not cost free, see: http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/

    If you have a web server, you must buy a certificate in order to implement https. You can buy a strong certificate by $5 USD/year, cheap or not?

    Identity services using social networks are cost free, but are not enough secure, consider the recent security issues of some social networks (remember the massive "password hacking" in some social networks).

    What about the recent "social experiments" carried out by some social networks? would you like that your App be part of experiments in social networks? what about privacy?

    Best Regards.

  • thanks for bastardizing the ASP.NET membership system lol

    http://i.imgur.com/c3m4ieS.jpg

     

  • What about the following article?

    "Critical design flaw in Active Directory could allow for a password change", Jul 15, 2014

    http://www.csoonline.com/article/2453930/data-protection/critical-design-flaw-in-active-directory-could-allow-for-a-password-change.html

  • CaesarCaesar

    @carlospinedag

    Hi Carlos you mixed up to much different thinks.
    if you want a SSL/TSL Certificate that is secure and with secure i mean a Green-Adress-bar in your Browser. You don't get it for 5$/year.

    No one said you have to use the Azure Service. If you not wan't to, buy or rent a Webserver.

    Email & Phone Authentification is better than no Authentication.
    If you wan't to use Hardware token to secure, use it.

    Now I'm very interessted in what you wan't to secure.

    Oh the social experiments have nothing to do with the authentication. They manipulates Post's to find out whatever.

  • @Caesar:

    Hi Caesar, yes there are some options for certificates, ok with $5 USD you can buy a domain verified certificate, if you need business validation, you could spend more, depends on your business needs.

    Email and Phone are not effective for authentication because these channels can be (and in fact are) listened by a "man in the middle". Security is a serious concern for business. In fact, finantial and banking systems do not use Email or Phone for access to the user's accounts because this channels are not enought secure, and money is a serious matter.

    Authentication by social networks is not two-factor authentication, because social account is not "something only the user has". Social networks use the user information in a variety of ways, for instance: "who access, what app, when, from where".

    Social experiments consist in modify the social network behavior and observing the response of users. Social networks could perform experiments on the access to your app. Also, social networks can sell the information of who, when and from where the people access your app. What about privacy?

    How secure can be a system? In my opinion the answer is binary: nothing or high-secure.

    If you use password-only or password with email/phone/social authentication, in both cases your system is an easy objetive for hackers, for this reason is very important to include the maximum level of security that you can reach.

    Two-factor authentication with token is a very good solution in terms of cost/benefice. You can buy one token device (OTP) by $10 USD or use a virtual token for free.

    Is easy to implement your own two-factor authentication system based in tokens TOTP (Time-Based One-Time Password), the algorithm is public, see: RFC 6238  http://tools.ietf.org/html/rfc6238 This document includes the algorithm implemented in Java,

    Regards

  • Hi Pranav,

    i'm pretty new in identity subject and i saw some video's but in none of them explain the role management.i have some question : how can i define some roles and how can implement these role to the users.

    please give me some solution about it.

    Best Regards.

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.