I’m working to getting a better handle asp.net core authentication.

So I have defined a simple user name/password authentication handler which is responsible for rebuilding the user’s identity in HandleAuthentication and as well as signing in the user (creating the cookie) after sign-in is complete in the login page.

The login page after doing user name password validation will build the claims principal like this

HttpContext.SignInAsync("MyAuthScheme", principal);

The line above will call my Authentication Handler signin method which persists a basic cookie with information from the Principal object.

On the login page, user has a checkbox option which offers the user also verify some key phrase (like 2fa).

If checkbox is checked, the authenticated user is navigated to additional authentication screen where they will enter some key phrase they know.

Question

  1. Once key phrase is confirmed, should it be added as a claim to existing user principal or a new Identity shall be added? What’s the right thing to do? I think it should be a claim?

  2. We need to record this new fact that user has further verified (key phrase), So I’m calling httpcontext.SignIn method once more which rebuilds the cookie from the first login with additional claim.

It seems to work but I’m confused if I should have single auth handler or 1 handler each for User Name and Password and Key Phrase?

If I were two implement two different identities, shall they be stored in two different cookies?