Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News ASP.NET Identity 2 Adds Two-factor Authentication, Account Lockout, Security Stamp and Bug Fixes

ASP.NET Identity 2 Adds Two-factor Authentication, Account Lockout, Security Stamp and Bug Fixes

This item in japanese

ASP.NET Identity 2, recently released by Microsoft, provides support for two-factor authentication, account lockout, security stamp in addition to user accounts enhancements and indexing. It also includes an improved password validator and several bug fixes.

With the help of two factor authentication, developers will be able to protect user accounts with custom providers instead of using traditional SMS and email based validation. For instance, developers will be able to write their own custom providers such as QR code generators and make use of Authenticator apps on phones to validate them.

ASP.NET Identity 2.0 has been updated to offer protection against brute force attacks with which the relevant user account will be automatically located upon entering incorrect password or two factor codes for a specified amount of time. As a developer, you will be able to configure the number of invalid attempts and the timespan with an option to turn off the feature for certain user accounts.

The newly introduced security stamp feature enables you to provide a mechanism to log out from the application when the password or associated social login is modified. It can be configured in Startup.Auth.cs by registering a CookieAuthenticationProvider as shown on the official MSDN blog.

The latest release provides an extensibility hook with which you will be able to specify the primary key of both users and roles table and will be useful for those applications which store UserIds as GUIs io ints.

Prior to the latest release, users can be deleted through the UserManager, which has been fixed to enable you to delete users using DeleteAsyn() function.

var result = await UserManager.DeleteAsync(user);

The latest release provides ability for the developers to make use of factory implementation to retrieve an instance of UserManager from the OWIN context for SignIn and SignOut. In order to work with this feature, you need to add the following code in StartupAuth.cs.


The DbContextFactory Middleware returns an instance of the ApplicationDbContext per request which you can use in your application and can be configured in the StartupAuth.cs using the following code.


Microsoft has added a unique index on the Username using the new IndexAttribute besides an enhanced password validator which provides complete control over password configuration. The release also provides NuGet package with sample ASP.NET MVC application and several bug fixes based on the feedback from the community.

Along with ASP.NET Identity 2 RTM edition, Microsoft has also released Entity Framework 6.1 with features such as tooling consolidation, IndexAttribute, public mapping API besides support for .ToString, String.Concat and enum HasFlags in LINQ Queries and the ability to configure interceptors via the App/Web.config file.

Pranav Rastogi, Software Engineer, Microsoft in his blog post has outlined the steps required to migrate applications from ASP.NET Identity 1.0 to 2 and from 2.0 beta 1 to 2. In addition to the above features, this release also includes features such as account confirmation, password reset, IQueryable on UsersStore and RolesStore, which was originally added in the preview release in December 2013.

Rate this Article