Jeremy Hinz Jeremy Hinz - 1 year ago 96
ASP.NET (C#) Question

How to create a validation code for account setup that is provided by the company to an approved user?

I am trying to create a basic website that when a person registers with the site they have to have an access pin (or code) to complete creating the account. I'm hoping to have the key as a rotating key which has to be provided by our company for people to create an account with us.

What I'm hoping to have on the registration page as follows:

Email Address

Password

Account Passcode (The part I'm wondering on how to tackle)

The email address and password I know there are built-in functions; however, looking at having a passcode to activate the account which has to be provided by the company after they have verified that the user falls within our guidelines for acceptable usage.




Edit: The data itself isn't confidential and just best practices and how to guides to using our medical products we support. The main focus is to keep patients from finding the information on the internet and performing self-treatment. No vital information, secrets, or confidential information is used.

To add, it would almost be like having an owner's manual for a vehicle that you only want a certified mechanic to use because you're afraid of the average joe misunderstanding the information and using something incorrectly or ends up hurting themselves.

Answer Source

EDIT: Ohh dear (god, gods, rocks, whatever you believe in), please do not use this method to secure confidential medical data.


The easiest way to create the rotating PIN like you describe would be to figure out the interval that you want it to rotate on (hours, days, weeks, etc), reduce the current date and time to that interval, then hash it down to a shorter, easier to enter number that you can give to users as needed. Whether or not this whole plan is a good idea or not, I'll leave up to you, but it isn't something I would recommend.

As a very simple example, this is a (very poor) method of generating a PIN for a particular date. Please do not use this method in your real program, it is for demonstration purposes only. I'm not responsible if you do use it, and get hacked.

static void Main(string[] args)
{

    Console.WriteLine(GetPinForDate(new DateTime(2017, 7, 26)));
    Console.WriteLine(GetPinForDate(new DateTime(2017, 7, 27)));
    Console.WriteLine(GetPinForDate(new DateTime(2017, 7, 28)));
    Console.WriteLine(GetPinForDate(new DateTime(2017, 7, 29)));

    Console.ReadLine();
}

static string GetPinForDate(DateTime targetDate)
{
    var days = Math.Floor((targetDate - new DateTime(2000, 1, 1)).TotalDays);
    return (days.GetHashCode() << 8).ToString().Substring(6);
}

It produces the following output:

33760
68224
02688
37152

In your real program, you would collect the PIN from the user during registration and compare it to the pin generated by this function for the current date. If they match, allow the user to continue, if not, yell at them. You could have a small program that just displays the PIN for the current date using the same method running at your office, that you give out when someone calls and wants to create an account.


Just to explain, there are 2 main reasons I don't recommend this pattern.

  • The first is that it is just an odd authentication mechanism, it seems inconvenient for you, and is easily bypassed if someone figures out how to generate the PIN pattern.

  • In this particular example, the hashing is very weak, and untested. I came up with it in 30 seconds, and only tested it against 5 dates. There may be (and most likely are) cryptographic weaknesses in it that make guessing the PIN for a particular date fairly trivial.

I better method would be to use the existing authentication mechanisms in MVC. Add an Approved flag to your user accounts that is set to false by default. Let users create an account, and call you to request approval and activation, which is done on your end by modifying the flag through a web interface.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download