Simple, easy to use server-side two-factor authentication library for .NET that works with Google Authenticator

Install-Package GoogleAuthenticator

Additional examples at Google.Authenticator.WinTest and Google.Authenticator.WebSample

key should be stored by your application for future authentication and shouldn't be regenerated for each request. The process of storing the private key is outside the scope of this library and is the responsibility of the application.

using Google.Authenticator;

string key;

TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();
SetupCode setupInfo = tfa.GenerateSetupCode("Test Two Factor", "user@example.com", key, false, 3);

string qrCodeImageUrl = setupInfo.QrCodeSetupImageUrl;
string manualEntrySetupCode = setupInfo.ManualEntryKey;

imgQrCode.ImageUrl = qrCodeImageUrl;
lblManualSetupCode.Text = manualEntrySetupCode;

// verify
TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();
bool result = tfa.ValidateTwoFactorPIN(key, txtCode.Text)

Fixed an edge case where specifying an interval of 30 seconds to the Validate function would be treated as if you had passed in 0.

• Removed support for legacy .Net Framework. Lowest supported versions are now netstandard2.0 and .Net 4.6.2.
• All use of System.Drawing has been removed. In 2.5, only Net 6.0 avoided System.Drawing.
• Linux installations no longer need to ensure libgdiplus is installed as it is no longer used.
• Changed from using EscapeUriString to EscapeDataString to encode the "account title" as the former is obsolete in .Net 6. This changes the value in the generated data string from a@b.com to a%40b.com. We have tested this with Google Authenticator, Lastpass Authenticator and Microsoft Authenticator. All three of them handle it correctly and all three recognise that it is still the same account so this should be safe in most cases.

Now runs on .Net 6.0.
Technically the QR Coder library we rely on still does not fully support .Net 6.0 so it is possible there will be other niggling issues, but for now all tests pass for .Net 6.0 on both Windows and Linux.

• Old documentation indicated specifying width and height for the QR code, but changes in QR generation now uses pixels per module (QR "pixel") so using a value too high will result in a huge image that can overrun memory allocations
• Don't use the secret key and ManualEntryKey interchangeably. ManualEntryKey is used to enter into the authenticator app when scanning a QR code is impossible and is derived from the secret key (discussion example)
• With versions prior to 3.0 only, on linux, you need to ensure libgdiplus is installed if you want to generate QR Codes. See codebude/QRCoder#227.