I’m trying to build a system as follows:
- User 1 is a low permission user. They will be using their phone and at some point will need to do a secure action.
- User 2 is an admin user and will be in the same room as user 1.
- User 2 will generate a temporary code on their own device (could be a phone or desktop), and then verbally give the code to user 1.
- User 1 will then enter the code given to them to complete the secure action.
Ideally, neither user 1 nor user 2 will reveal their account usernames to each other. The only thing that will be exchanged is the code.
The backend system I am using to build the basic user authentication is in ASP.NET Core MVC & Asp.net Identity, and this will include an API to validate and generate the codes.
Anyone have any ideas about how to implement the code generation and validation?
Potentially the codes will need to be long enough to identify which admin user requested the code (and thus approved the action), but hopefully not too long to become unwieldy (maybe 6-8 characters?)
(I posted this to stack overflow: https://stackoverflow.com/questions/64073338/2-person-2-factor-authentication
but was recommended to post on this site. )