ASP.NET Identity

Sign in to queue


 ASP.NET Identity is a totally rewritten framework that brings the ASP.NET membership system into the modern era. ASP.NET Identity makes it easier to integrate different authentication systems such as local username, password as well as social logins such as Facebook, Twitter etc. It also gives you greater control over persisting data to your backend technology of choice. ASP.NET Identity is a game changer by bringing in more modern authentication systems such as Two-Factor Authentication. You can use ASP.NET Identity to secure Web Apps as well as Web APIs.





Download this episode

The Discussion

  • User profile image
    Thanh Nguyen

    I would like to join and understand more about ASP.NET Identity.

  • User profile image

    Where can I download the source code for this demo

  • User profile image
  • User profile image

    @Thanh you can learn more about ASP.NET Identity at

  • User profile image

    Hi Pranav,

    i think Identity is a very strong System.
    There is only 1 think i don't understand.
    Building the role Management.
    Is there a source or a tut to build it up from out of the box mvc Project?

    p.s. there is a question so 1+ jumping jack :-)

    Best regards

  • User profile image
    Pedro Dias

    Great talk,Pranav!

    Last question:
    How does this fit into aad? Can I create and manage users there using the same Interfaces that you demoed? Feels kind of old to store users and metadata in a database/tables when aad has that infrastructure ready and available. If I understand it correctly, what I am asking for is an Identity implementation that sits on top of the azure ad graph api?

  • User profile image

    Two-Factor authentication must comply, at least:

    1) "something only the user knows" (aka password)
    2) "something only the user has" (for instance, a token device)

    Two-Factor authentication with phone or email ARE NOT effective because communication can be "known" by the service provider. Phone and email are not "something only the user has"

    A token-code generated by a Mobile App works well, but the "secret seed" (which is needed for generate token-codes) must be encrypted using a PIN code. This PIN can be seen by a third person while you are typing into your Mobile device.

    Hardware tokens (OTP: One.Time Password) are more secure because the "secret seed" is stored in a secure memory, no-one can see this secret key. Those devices are used by users of banking and financial systems to access their accounts.

    OTP also are used for login into a Cloud (for instance Amazon AWS).

    By other hand, Why Banks & Financial Services do not implement login using social networks? Can you trust social networks to access your money? Consider the recent security issues of some social networks.

  • User profile image

    @Caesar:If you download the Microsoft.AspNet.Identity.Samples NuGet package then it shows you how to do basic role management

  • User profile image

    THX Pranav.
    i think i got it.

    Be cool man.
    Two-Factor authentication ist better for Secure than One-Factor.
    Social-Login is also good cause you can secure your client Information without Buying any expensive SSL Certification.
    Microsoft facebook etc. have more Manpower to secure there plattforms wich also means your WebApp if you use SocialLogIn

  • User profile image

    Last Question: is it possible to split AspNetUsers table and store users

    from a-l in one table
    from m-z in second table

  • User profile image

    Microsoft should fire these ridiculous clowns. I'm here to see if is there any progress in this half baked identity system... but I only found bad jokes and someone with zero experience in real world applications

  • User profile image

    The pillars of security are a strong authentication followed by a fine grained authorization. But the most important factor is "to be paranoic".

    Both email and phone are not trusted communication channels for two-factor authentication.

    Talking about costs... identity services are not cost free, see:

    If you have a web server, you must buy a certificate in order to implement https. You can buy a strong certificate by $5 USD/year, cheap or not?

    Identity services using social networks are cost free, but are not enough secure, consider the recent security issues of some social networks (remember the massive "password hacking" in some social networks).

    What about the recent "social experiments" carried out by some social networks? would you like that your App be part of experiments in social networks? what about privacy?

    Best Regards.

  • User profile image

    thanks for bastardizing the ASP.NET membership system lol


  • User profile image

    What about the following article?

    "Critical design flaw in Active Directory could allow for a password change", Jul 15, 2014

  • User profile image


    Hi Carlos you mixed up to much different thinks.
    if you want a SSL/TSL Certificate that is secure and with secure i mean a Green-Adress-bar in your Browser. You don't get it for 5$/year.

    No one said you have to use the Azure Service. If you not wan't to, buy or rent a Webserver.

    Email & Phone Authentification is better than no Authentication.
    If you wan't to use Hardware token to secure, use it.

    Now I'm very interessted in what you wan't to secure.

    Oh the social experiments have nothing to do with the authentication. They manipulates Post's to find out whatever.

  • User profile image


    Hi Caesar, yes there are some options for certificates, ok with $5 USD you can buy a domain verified certificate, if you need business validation, you could spend more, depends on your business needs.

    Email and Phone are not effective for authentication because these channels can be (and in fact are) listened by a "man in the middle". Security is a serious concern for business. In fact, finantial and banking systems do not use Email or Phone for access to the user's accounts because this channels are not enought secure, and money is a serious matter.

    Authentication by social networks is not two-factor authentication, because social account is not "something only the user has". Social networks use the user information in a variety of ways, for instance: "who access, what app, when, from where".

    Social experiments consist in modify the social network behavior and observing the response of users. Social networks could perform experiments on the access to your app. Also, social networks can sell the information of who, when and from where the people access your app. What about privacy?

    How secure can be a system? In my opinion the answer is binary: nothing or high-secure.

    If you use password-only or password with email/phone/social authentication, in both cases your system is an easy objetive for hackers, for this reason is very important to include the maximum level of security that you can reach.

    Two-factor authentication with token is a very good solution in terms of cost/benefice. You can buy one token device (OTP) by $10 USD or use a virtual token for free.

    Is easy to implement your own two-factor authentication system based in tokens TOTP (Time-Based One-Time Password), the algorithm is public, see: RFC 6238 This document includes the algorithm implemented in Java,


  • User profile image

    Hi Pranav,

    i'm pretty new in identity subject and i saw some video's but in none of them explain the role management.i have some question : how can i define some roles and how can implement these role to the users.

    please give me some solution about it.

    Best Regards.

  • User profile image

    Can somebody tell me , can i use asp identity to my site whit all nugets that i need and

    are all registration system is free just take one asp identity template and publish it to my domain 

    whit registration system login system etc. ?

  • User profile image

    Can I have the complete code of the project that showed in this video? Thanks.

Add Your 2 Cents