Microsoft.AspNetCore.Identity UserManager - Delete user AuthenticatorKey and RecoveryCodes

[Ogglas]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I miss a method for deleting AuthenticatorKey and RecoveryCodes for a user in Microsoft.AspNetCore.Identity UserManager. I can control nearly everything else but for some reason there is no method to remove these values.

Describe the solution you'd like

I would like the following methods implemented:

public virtual async Task<IdentityResult> RemoveAuthenticatorKeyAsync(TUser user)

public virtual async Task<IdentityResult> RemoveTwoFactorRecoveryCodesAsync(TUser user)

I know it might be a risk and that the authenticator app will not work until you reconfigure the AuthenticatorKey again etc. However calling ResetAuthenticatorKeyAsync without calling SetTwoFactorEnabledAsync(user, false); or similar will have the same affect imo.

Additional context

No response

[blowdart]

What is your use case for this? You can disable MFA and it'll all get ignored anyway. What does deletion accomplish for you that disabling doesn't?

[ghost]

Hi @Ogglas. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[Ogglas]

@blowdart If a user chooses to disable two-factor authentication I think there should be an alternative to also delete Two-factor authentication keys.

Current functionality:

Proposed extra button if a user has keys but not 2FA enabled:

A user can of course use Reset authenticator app but that only resets the authenticator key. The database will still keep track of AuthenticatorKey and RecoveryCodes in Table AspNetUserTokens and I think a user should have the possibility to remove these if they want. You can of course fix this via SQL but given that the UserManager handles everything else I think this should be handled as well.

[blowdart]

Fair enough. We'll think about it for 8.

(But there are a lot of edge case scenarios where usermanager doesn't do it)

[Flash619]

What is your use case for this? You can disable MFA and it'll all get ignored anyway. What does deletion accomplish for you that disabling doesn't?

I would also like to see this feature.

I currently am working within a system which has the concept of OTP disenrollment. In this case, I would like to also clear any related authentication tokens for that user. This way if OTP is re-enrolled, I do not need to worry about old keys floating around within the system or old authenticators still working.

To mitigate this today, upon OTP disenrollment I reset the authenticator key which feels wrong, as it simply replaces the key in the database instead of removing it entirely.

[tprime1]

What is your use case for this? You can disable MFA and it'll all get ignored anyway. What does deletion accomplish for you that disabling doesn't?

We offer MFA via both email and authenticator app. Many of our users are k-12 students who may or may not have a secondary device during class with which to authenticate. But they will, of course have their primary device. There may be another way to handle this scenario, but I'd like to allow them to be able to remove their AuthenticatorKeys and RecoveryCodes when they mistakenly set up an authenticator app. Removing those would cause their accounts to revert back to what we have as the default MFA method, email.