As I mentioned above, there are different variants of
implementing 2-step or phone verification on a website, and there isn’t a
classic method that I can discuss here. The implementation also varies by the
structure of a website, its requirements, and some other factors. However, in
this post, I’m going to implement a simple prototype of a 2-step verification
system for an ASP.NET MVC application that follows a standard approach. The
implementation is easy to inspire and even simpler in ASP.NET Web Forms since you
can use server controls to achieve many goals faster and easier.
Here I use the default ASP.NET MVC application template
(with Razor view engine) provided by Microsoft and modify that so after the
user provides the correct username and password combination, I send a text
message with a verification code to a mobile number, and then ask the user to
enter this code to be able to sign in. In order to save users from the hassle
of redoing this verification every time, I use the IP address and user agent of
the client as two factors to identify trusted machines. Of course, there are
better ways to achieve uniqueness but I skip them here for the sake of
simplicity that I need for educational purposes. After a successful login from
a trusted machine/browser, user doesn’t need to redo this process, and only
repeats that when he’s using a different IP address and/or browser.