Last post Jul 19, 2016 11:54 AM by chrismikec
Jun 29, 2016 11:56 AM|chrismikec|LINK
I'm trying to find out what is the max value for a two factor authentication code from ASP.NET Identity 2.2.1.
I have tried setting the following:
but the two factor code isn't good for that long, so I'm wondering if perhaps this is the expiry for the cookie itself and not the code it contains. I'm wondering if there is a technical limitation to how long the verification code can last, based
on how it is generated. Basically, I have users who get delayed emails longer than 5 minutes, so I increased this time thinking it would make the code last longer.
All of the examples simply stick with 5 minutes, so I'm wondering if this is the actual limit. I read somewhere that there is an extra 90 second allowance on top of the 5 minutes, and so that seems to be around what I am getting.
If the limit should be greater than 5 minutes, am I simply setting it in the wrong place?
Jun 29, 2016 06:41 PM|Khanna Gaurav|LINK
Following link should help for Two factor authentication
Jun 30, 2016 06:30 AM|Yohann Lu|LINK
The following links for your reference.
1: In the App_Start\IdentityConfig.cs file sets the tokens to expire in 3 hours.
Account Confirmation and Password Recovery with ASP.NET Identity (C#):
2: ValidateInterval and ExpireTimespan.
3: Adding two-factor authentication to an application using ASP.NET Identity:
Jul 04, 2016 12:42 PM|chrismikec|LINK
I don't mean to be rude here, but these forums really frustrate me. Did you even read my question? I obviously know how to set up two factor verification. All I want to do is change the amount of time the two factor verification code is good for. That link
in no way helps me with this.
If you see something in that link that anywhere comes close to answering my question, feel free to point it out.
Jul 04, 2016 12:47 PM|chrismikec|LINK
Much like the previous answer, I fail to see how this answers my question at all. None of these links talk at all about how to change the expiry of the two factor verification code.
The third link at least mentions how to set the expiry for the two factor code, but, as you can see from my question, I am already calling it like that. The example in the link sets it to 5 minutes and, as I mentioned, I want it to be more than 5 minutes.
However, when I change that given code, it does not seem to change the expiry.
Am I missing something here?
Jul 06, 2016 08:54 AM|Yohann Lu|LINK
You can refer the following Startup file to configure OWIN authentication. It may help to you.
Jul 11, 2016 03:56 PM|chrismikec|LINK
Again, Yohann, I see nothing in there that helps me with my problem.
As I stated before, I understand that the usual setting is 5 minutes, and I can see on that link you sent me they use 5 minutes too.
HOWEVER, I see no mention of anything to do with increasing this value beyond 5 minutes.
Is there, or is there not, a limit of 5 minutes on this? If not, what is the limit?
Jul 15, 2016 09:56 AM|Yohann Lu|LINK
I have found that you can increase the max expiry time for the email confirmation.
The following code change in the Create method (in the App_Start\IdentityConfig.cs file) sets the tokens to expire in 30 minutes.
if (dataProtectionProvider != null)
TokenLifespan = TimeSpan.FromMinutes(30)
Jul 19, 2016 11:54 AM|chrismikec|LINK
Thanks Yohann, but as I said, I want the expiry for the two factor code, not the email confirmation.
Looks like the answer is no, I can't change the expiry on that code.
The underlying token provider is
, which uses
, which internally, if I am reading it right, hard codes the expiry to 3 minutes, with up to a max 90 second time variance.
I'm thinking the expiry I changed only changed the expiry on the cookie containing the two-factor code, not the code expiry itself. We validated that, as the error message you get back for when the code expires with a valid cookie is different from the error you get back with an expired code and an expired cookie.
I just think it is supremely disappointing that this isn't explained better in the help text for the