Two-factor authentication for Umbraco - part 1

Background

A recent client project required multi-factor authentication for both Umbraco admin logins and member profiles on the public site. We looked into existing Umbraco packages but couldn't find a solution that fit the bill. Here's how we solved the problem.

Why multi-factor authentication?

Two factor authentication is a common usage of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.  It dramatically increases the security of a system, because a leaked password or a lost device is not enough by itself to gain access.

It used to be common place for online banking, now it's expected for most online systems handling personal or financial information.

Our customer required two factor authentication (2FA) using Authy for:

• All back-office administrators
• A selection of users of the front-end website (called Members in Umbraco speak)

Whilst there are a few Umbraco packages out there already which definitely helped us on our way, we had a few specific requirements that meant we had to craft our own unique solution.

What’s already out there?

For the front-end member handling, the UmbracoIdentity package by Shannon Deminick was an incredible leg-up in getting started. In Shannon's own words, “this package was created to be 100% compatible” with the front-end base membership provider and uses a large portion of the shipped functionality that comes when you install Umbraco. Read more here.

For the back-office users, there is a 2FA package already available built by the guys over at Offroadcode. This implements the authentication flow using Google Authenticator, which is great! If you have a blank slate of technical requirements, or need to get something out the door at a reasonable pace, this is a fantastic project that will definitely get you going. You can read more about it here and download the package from the Umbraco repository here.

Unfortunately, neither of these would quite get us over the line for a number of reasons:

1. The Umbraco Identity package does not (yet) support multi-factor authentication out of the box
2. The Umbraco 2FA package is not easily configurable to support front and backoffice sign-in when used in tandem.
3. Neither were equipped to integrate directly with our chosen authentication provider, Authy.

A little more about Authy

Authy, by Twilio, is similar to Google Authenticator in the sense that it provides a service and API to add an extra layer of authentication to your site (either through SMS, app pushes, voice calls or email) which you can then access to accompany your security credentials.

We chose to use Authy over Google Authenticator for a couple of reasons (read a lively, albeit biased, debate on the two services), but the main one being the sheer volume of documentation, tutorials and guides that are available over at the Twilio site. And who doesn’t love a bit of well-written, interactive documentation?

Disclaimer: I won’t be covering the Authy integration in any detail here. If there is an appetite for that, then please get in touch and maybe it can be a future piece.

So that's the context, now head over to part 2 for the gritty detail of how 2FA works for the Umbraco back office.