current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
stack overflow careers
Sign up ×
Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them, it only takes a minute:
up vote 2 down vote favorite
1

My application uses two factor authentication with username/password followed by a code sent to the user by SMS or e-mail. I've been using cookies to remember users, but now I want to use bearer tokens in OAuth instead, with the help of OWIN.

Does OAuth solve two factor authentication somehow? If not, would it be a bad idea to:

  • Client sends (post) user credentials to /api/authentication (an ApiController)
    • If credentials are wrong, server responds with 400 Bad Request
    • If credentials are correct, server generates a code and sends it to the user by SMS. Then it responds with 401 Unauthorize with WWW-Authenticate: ??? to the client
  • Client sends code to /token (OAuth) with grant_type=password&username={code}
share|improve this question
    
I believe this not standard flow supported by OAuth, you are issuing code and sending as its the resource owner. – Taiseer Joudeh Sep 23 '14 at 9:13
    
Taiseer, I read your ASP.Net OAuth related articles. They are good, for simple username/password authentication scenario. One of our system requires similar two factor authentication. First username & password and then in 2nd step memorable word. Is this possible to achieve with OAuth? – Nexus23 Apr 18 at 18:58

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.