Multi Factor Authentication & Centralized Identity Management Sample Project

Multi Factor Authentication & Centralized Identity Management Sample Project

Multi Factor Authentication & Centralized Identity Management Sample Project


1. GENERAL INFORMATION ABOUT THE PROJECT

I share this project, which I need to prepare as a project assignment at school, and make it available to those who need it or to friends who want to review it. You can access the source files of the project via this link.

The project consists of three main sections. First of all, these three sections can be defined as follows.

1-      Mission Management System: The task management system is a system that is preferred by the staff, which is preferred by imagining that operations such as personnel assignment, job tracking and project management are carried out for a business.

2-      Accounting Management System: Accounting management system is a system that is indispensable for a business as in the task management system. For this reason, it was preferred as the second imaginary system. Accounting management system is used for advance requests, allowance information, salary and other financial transactions rather than accounting personnel.

3-      User Management System: The user management system constitutes the relevant part of the project prepared. By using the multi-factor authentication method on this system, additional security methods are used to register the system, session control operations, password renewal operations and account verification processes in a safer environment.

It does not operate accounting and task management systems fully, and does not perform current and accounting operations. Since it has nothing to do with the subject, it has not been made operational. It is aimed to control whether or not the user logs in to the systems by activating only the main page part and the logout part.

2. THE ENVIRONMENT, LANGUAGE AND DATABASE OF THE PROJECT

·         The project has been prepared on Visual Studio 2019.

·         The project was prepared by using EntityFramework with ASP.NET - MVC.

·         MSSQL database was preferred for the project.

3. PROJECT PREPARATION STAGES

3.1 Planning Phase

Before starting the project preparation, it was decided what to do first. It was thought how a system should be, what kind of a system should be appropriate for the subject. The work flow was as follows.

1-      Since the subject is multi-factor authentication and central identity management, it was thought that there should be more than one independent but related system.

2-      It was thought that these independent but related systems would not hold session information separately, user verification and session control should be done through a single center.

3-      It is thought that a minimum of two users will be actively used for the system considered, and one must be a user management system that will provide user operations and session control of these systems.

4-      Relevant issues have been started to be determined as it is necessary to decide on which medium to make the project, which language and database to choose.

5-      It was thought that for the project to be prepared, it should present a solution in today's conditions. Desktop systems have lost their value today and are not accessible from any platform. Mobile applications, on the other hand, are systems that are suitable for today's conditions, but they are not actively preferred as web-based systems. For this reason, it was thought that web based systems should be built.

6-      These web-based systems were decided to be built preferably using the MVC architecture on ASP.NET.

7-      It was decided to use MSSQL as the database for the systems to be prepared.

8-      The necessary information for the design of the project was decided and the design of the project was started as the next step.

3.2. Designing Stage

For the design phase of the project, the project should be planned on paper first. In order to design the project, the steps to be taken in order are determined as follows.

1-      Determining the authentication methods to be used.

2-      Designing the models to be used.

3-      Designing the functions that the system should perform according to the designed models.ı.

4-      Designing the pages required for the functions that should be done.

5-      Determining the appropriate classes and functions for the designed functions and pages.

6-      Finally, the realization of the system prepared on paper.

Design stages, needs and requirements were determined and the design of the project started.

3.2.1. Determining the authentication methods to be used.

Authentication methods to be used for the systems to be prepared play an important role in shaping the project. The method to ensure session control, security methods to be used during login and password change play a critical and important role on the project. The methods to be preferred after a research for a system that is so important are as follows.

1-      The method to be used for controlling and storing session data

This is the FormsAuthentication class under System.Web.Security. This method stores session data as cookies on the client, allowing access only on the relevant device. A new cookie is created with the GetAuthCookie function to start a session. Then, by creating a FormsAuthenticationTicket, the validity period of the cookie and the data to be moved are added. This created ticket is encrypted through the Encrypt function and turned into a string. The ticket that becomes this string will be added to the created cookie and attached to the relevant http response and directed to the subsystem that should go.

2-      Authentication methods to be used to login to the system

Two identification methods will be used that the user will use when logging into the system. The first of these methods will be the user password. If the user wants to login to the system, he will enter his user name and password. If he entered the correct data, then a verification code will be sent to the e-mail address registered in the system and he will be asked to enter the incoming code. Thus, 2FA (double factor authentication) authentication process will be realized.

3-      Authentication methods to be used for password renewal

If the user wants to change the current password when he loses access to the system, he / she has to request a password renewal. In this case, it is required to open the password renewal link sent to the registered e-mail address for verification by entering the registered user name or e-mail address first. Then, as a second step, if it came with a valid link, it will have to give the correct answer to the security question it created while registering to the system. If he gives the correct answer, he will be able to create a new password.

4-      Authentication methods to be used when registering to the system

There is one verification method to be used during the registration process. This verification method will be an account confirmation link that will be sent to the e-mail address after the user has entered and approved all the necessary data. You can verify the user account via this link. In this way, it will be prevented to register to the system with a random e-mail address.

3.2.2. Designing Models to be Used

The model to be used on the project is the most important part of the project. Because the systems will turn on this model. For this reason, the model to be prepared is of great importance.

Questions and requirements to be asked for the model to be prepared will be created as follows.

1-      Will a registration process take place on the systems?

Based on this question, when the registration processes to be performed on the system are taken into consideration, it is seen that the registration of the users logged on clearly should be kept. Apart from this, a log record can be kept and which users can record it.

2-      Will any authorization be made?

When looking at the subject currently being studied, it can be seen that no authorization will be required, since systems other than the user management system will not function actively and only session control will be provided.

3-      Will any association be made on the prepared models?

There will be an association between the model to keep the log record and the model where the user information is kept. With this association, the registration of the user logged into the log record will be attached.

4-      Will there be multiple databases for three separate systems to be prepared or will it work on a single database?

Since the systems to be prepared are not a big project at the moment, they will work on a single database. If a larger system was being written, a more extended system would be used where only the required data would be requested through a web service.

After the basic issues to be asked and answered are considered and the answers are given, the models can be created according to the planned and thought flow so far.

First, we need to create the user model that will be the backbone of the systems. The variables to be used for this model will be as follows.

1-      kullaniciId (PK,AI,int) : The unique user ID number that will be generated as an auto incremental number for each user.

2-      adSoyad (string) : A variable that will hold the user's first and last name information.

3-      sifre (string) : The variable that will hold the user's password information.

4-      kullaniciAdi (string) : The variable that will hold the username that the user can use when logging into the system.

5-      email (string) : A variable that the user can use when logging in, to keep the e-mail address where the password renewal and verification codes will be sent.

6-      soru (string) : A variable that will hold the security question that will be used to generate a new password if the user forgets their password.

7-      cevap (string) : The variable that will hold the answer to the security question to be created. If the user enters the correct answer written in this variable, the password verification process will proceed to the next step.

8-      dogrulamaKodu (string) : Variable to keep track of verification codes to be sent for MFA.

9-      hesapDurumu (bool) : A variable to check whether the user registered in the system has activated their passive account before verifying their e-mail account.

The log model, which will be used after the user model is defined, will be defined as follows.

1-      ipLoginId (PK,AI,int) : A unique, auto-incremental number type variable that will be created for each log record.

2-      zaman (DateTime) : Variable in which the log-on time is kept.

3-      ipAdresi (string) : A variable in which the ip address of the device used by the user is logged is kept.

4-      dogrulama (string) : Variable to hold session control verification code that will be secretly sent to other systems while the user's session is checked.

5-      kullanici (kullanici) : In the type of user derived from the user model, the variable that will hold the information of the user logged on.

Models planned to be two in total were created as described above. With these models, the next stage, the system, will have to determine the functions that must be fulfilled.

3.2.3. Designing the Functions of the System According to the Designed Models

After defining the models required for the systems, the systems that will work now have to be designed. For these systems, it must first be decided what functions to perform. The functions required by the systems will be as follows.

1-      User management system

The user management system will work as the most important system of the project. For this reason, this will be the most dense and functional system. The functions that this system will perform in general will be the functions for session control. Apart from this, it will also perform password renewal, registration and account verification. The necessary definitions and methods to be used for these processes will be described below.

a.       New user registration

As the first step of the system, it is necessary to create a new user as in every system. When creating a new user, a registration form should be created based on the model created. On this form, name, surname, e-mail and username will be the information that should be taken in the first step. Because it is necessary to verify that the received user name and e-mail addresses do not match any existing records by checking on the system. After the verification process is completed, a verification link should be sent to the e-mail address entered by the user to complete the registration process after the form is sent with the request of security question, question answer and user password. It will complete the registration process by verifying the user account via the sent link.

The functions that should be created according to this scenario can be listed as follows.

i.                     JsonResult girisBilgileriKontrol( string e-mail, string kullaniciAdi, string adSoyad )

With this function, it will be checked whether the information entered in the first step from the registration form points to a user in the system and whether it is empty. It is aimed to return an error code to the next stage if it is correct or as a json package according to the error condition if it is incorrect.

ii.                   string MailGonder(string email, string konu, string mesaj)

Necessary e-mail sending operations will be carried out by contacting the user with this function. It will be used in the login and password renewal sections while performing the sending of the account verification link for user registration.

iii.                 ActionResult dogrula(int kullaniciId, string dogrulamaKodu)

The account verification procedures of the registered users will be performed through this function. If the correct data is sent with the link sent to the registered e-mail address, the account will be verified and directed to the login page. Otherwise, it will be stated that it has an erroneous or expired link by generating an error message.

b.       Login the system

As it is understood from the name of the system, which is indispensable for systems that require verification, the sign-in process will be performed on the systems prepared. The scenario of this process can be specified as follows.

First of all, the user who has registered to the system and has made the account confirmation, sends the username or e-mail address and password to log in to the system and transmits it to the function to be verified to login. If the username and password read by the function are correct, a verification code is sent to the registered e-mail address. If the username or password is incorrect, an error message is generated and the user is informed.

After the user is verified and the verification code is sent to the registered e-mail address, the login page will go to the second stage and ask for the verification code sent to the e-mail address. The entered code will be checked by the relevant function and directed to the correct request to the system, generating a false request error message and notifying the user of the error.

The functions that should be created according to this scenario can be listed as follows.

i.                     JsonResult girisKontrol(string kullaniciAdi, string sifre, string dogrulamaKodu, string durum)

All operations related to logging into the system will be performed through this function. From the variables received by the parameter on the function, the state variable will take two values ​​"first" and "second". If the incoming value is “first”, it will check the username and password, and if it is correct, it will send a complex verification code generated by the system to the registered e-mail address and at the same time it will keep this code to compare it with the value it will receive from the user in a session. If no error has occurred so far, it will return the confirmation to go to the second stage of the login process, and if an error condition has occurred, it will return an error message. If the status variable is "second", then the second stage of the login process has worked. In this case, by comparing the verification code entered by the user with the verification code kept in the session, the system will direct the user to the system if it is correct. If it is wrong, it will return an error message to the user.

ii.                   rastgeleKod()

With this function, random codes that are difficult to guess will be generated on the system. The codes to be produced will consist of 6 characters and will be created by randomly selecting 32 letters and 10 numbers on the keyboard. In other words, 746 different passwords will be created in total.

c.       Password renewal

Password renewal is a process that users who are members of the system will use to reset their passwords, which is one of the authentication methods they use to login. The scenario of this process can be specified as follows.

A user who has become a member of the system and has his account approved can reset the password on the password renewal page if he has forgotten his password. The information of the user entering the user name or e-mail address to reset the password is checked by the relevant function, and if there is such a user, the user is asked to answer the security question by sending the security question to the screen. If the answer sent by the user is correct, it will be requested to create a new password and the password reset process will be completed.

2-      Task management system and accounting management system

a-       Exit the system

Logging out of the system is the process that will be used to terminate the logged in staff.

b-      Session control

The session control process aims to maintain the session data in the existing system by reading the session data of the users logged on by the user management system.

3.2.4. Designing the pages that are necessary for the functions that they should do.

Although some of the functions described above do not need a visual interface in the project to be prepared, some of them communicate with the user through a form. For this reason, I will describe the necessary ones from the functions described above.

1-      User Management System

a-       Login

It is aimed for users to login to the system through this page. The user will be verified and accessed to the system through the above-mentioned scenario.

b-      Kaydol

New users will be added to the system through the sign up page. In the registration page, which will work in two stages, the first step will be checked to see if it points to a different user registered in the system by simply taking the surname, username and e-mail address. In the second stage, in addition to the user information that does not pose any obstacle for registration, the security process with the answer and the user password will be entered, and registration will be completed.

c-       Şifre Yenile

It is possible to change the password for users who have subscribed to the system and lost their passwords through the password renewal counter. For the password renewal process, which will operate as two separate pages, the user name or e-mail address registered in the system is entered at the first stage and it is checked whether there is an existing user. If there is a suitable user, a password renewal link is sent to the e-mail address registered in the system.

d-      Şifre Değiştir

The password change page is the page where the password renewal link sent to the e-mail address of the user will be directed. There are two user actions on this page. First of all, to give the correct answer to the security question that he has previously recorded on his account. If the correct answer is given, the user will be asked to enter the new password by going to the second stage. After the user enters his new password, the process is completed and directed to the login page to log in to the system.

e-      Doğrula

The Verify page does not have a visual interface, but it is the page where the accounts of newly registered users are verified. The user is directed to the login page by verifying through this page.

f-        Yönlendir

The Forward page is also a page without a visual interface. The duty of this page is to direct the user who logs in through the login page to the subsystem that should go. It redirects directly to the main page of the relevant subsystem by performing the redirection process in line with the information received from the login page.

2-      Accounting and Task Management System

a-       Ana sayfa

As can be understood from the homepage name, it will be the landing page of accounting and task management systems. If the user is not logged in, there will be buttons to direct them to the registration and login pages. If logged in, “Welcome {Username Last Name} on the screen to indicate that you are logged in.” A welcome message will be given in the form and at the same time, there will be a logout button at the bottom which will be used to log out of the system.

b-      Çıkış Yap

Users will end their current session via the logout page. In this way, they will be logged out from other subsystems in the system. And then they will be redirected to the login page to log in again.

3.2.5. Determination of appropriate classes and functions for designed functions and pages.

In order to avoid writing the same code over and over for many repetitive processes that will be used in the systems to be prepared, a more regular system will be obtained by controlling the repetitive contents into a function, if the functions are made with the functions collected under a class. For this reason, repetitive or potentially repetitive processes are taken under control considering that the system was developed. The commands that have been functionalized for the operations that are possible to repeat are given below.

1-      User Management System

a-       public string MailGonder( string EMail, string Konu, string Mesaj )

With this function, an e-mail can be sent to any desired e-mail address by creating an e-mail using the SMTPClient class. As a result of the process, the string will be returned as a variable and it will be learned whether or not an e-mail is sent.

b-      public string ipAl()

With this function, the IP addresses of the users who will log in to the system will be obtained. For this process, the IP address of the user in the incoming http request will be obtained. For additional accuracy, the last ip address will be reached by checking the routed ip addresses.

c-       public string rastgeleKod()

This function generates random 6-character verification codes. The created codes will be chosen randomly among 32 small, 32 capital letters and 10 number characters on the keyboard. Since these randomly selected codes will be selected among 74 characters in total, 746 different combinations will be created.

2-      Accounting and Task Management System

a-       public bool login()

This function will be the main function to control the session of the users. The system will work whenever each page is refreshed, ensuring session control and duration. It will return “false” when the session ends, and “true” if the session continues. If the session ends, you will be directed to the login page.

3.2.6. Realization of the system prepared on paper.

The realization of the system, the planning and design of which has been completed, will begin. The system will be realized in a fast process and the project will be completed as it is clear and clear what kind of a system will be realized based on the ready workflow, functions and models.