white keyboard with gold and silver lock laying across keys

State of Microsoft Security: ASP.NET Identity 2.0

Way back in 2005, Microsoft released the ASP.NET Membership system. The release was part of their drive in the early days of ASP.NET to provide infrastructure “in the box” for the things that most non-trivial websites need. In the mid 2000s, Trustworthy Computing was still new and fresh, so security was on everybody's mind. Of course, security is still a crucial part of any website, no matter how trivial.

These concerns about security meant that eventually, the outdated Membership system had to be replaced as security threats evolved and new, better security technologies evolved. Microsoft made a few improvements over the years, including Simple Membership, that eased some of the problems with the initial Membership release, but it still had some discouraging limitations. Microsoft certainly didn't contemplate support for Open Web Interface for .NET (OWIN) authentication middleware that allows logins by external identity providers such as Facebook, Google, Twitter, or even Microsoft. Microsoft made other enhancements to Membership over the years, but the time eventually came for a complete overhaul. That overhaul arrived in the fall of 2013, in the form of the first version of ASP.NET Identity, which had the benefit of years of work by Microsoft security engineers as well as feedback from developers.

Microsoft created ASP.NET Identity for use with all of the ASP.NET development frameworks and added support for OWIN authentication to make use of social login providers. Identity provided more flexible user profile management capabilities as well as more options for where the user data is persisted, enabled in part by Entity Framework's Code First features. And the list goes on and on. This wasn't your grandma's Membership system. For an overview of the differences between Membership and Identity and an introduction to ASP.NET Identity, see "Introduction to ASP.NET Identity," an article written by Microsoft's Pranav Rastogi. You can also see my own Dev Pro article, "New Visual Studio 2013 Security Feature: ASP.NET Identity."

ASP.NET Identity provided developers with a massive infrastructure change in the most fundamental way. Because of the long gestation period that has been typical of Microsoft's exceedingly transparent technology development process, awareness and understanding was allowed to take seed and spread amongst consumers. Still, widespread adoption seems to have been slow. However, it now appears that Identity is gaining acceptance, helped along by its inclusion in many nooks and crannies of the various ASP.NET project templates, including MVC and Web Forms. In fact, it's quite possible that you're already using Identity features without even knowing it.

When it comes to security, particularly in the ASP.NET world, you can't accuse Microsoft of being sluggish. A couple of weeks ago, they released ASP.NET Identity 2.0, a release that deserves its whole-number version bump.

Quoting Pranav Ratogi from the RTM announcement post, "[t]he main focus in this release was to add security and account management features as well as address feedback from the community." Some of the highlights of this new release include support for two-factor authentication, account confirmation, password reset, support for IQueryable on Users and Roles, and better support for OWIN. An intriguing new feature is the support for regenerating the security stamp when a user changes his or her password, and the option of signing out everywhere that the application has logged into when using external authentication.

For a useful overview of what's new in this release, see Pranav Rastogi's blog post, "Announcing RTM of ASP.NET Identity 2.0.0." This post has a brief overview of all the new features and major issues that were fixed in the new release. Rastogi also includes information about the three NuGet packages you'll need to install: Microsoft.AspNet.Identity.EntityFramework, Microsoft.AspNet.Identity.Core, and Microsoft.AspNet.Identity.OWIN), as well as a fairly comprehensive sample application that's also available as a NuGet package. The ASP.NET Identity pages will remain the primary source of information, documentation, and tutorials over time, but as of late March 2014, there wasn't much new on those pages.

The only thing that's discouraging about the release of Identity 2.0 is that ASP.NET Identity is becoming a rather large, complicated beast. Sure, it supports many of the security features modern enterprise web applications need, but the learning curve is steep, particularly for developers whose day job isn't web security. Nevertheless, a reality of the security environment is that we need complex tools to battle complex threats, and Identity provides credible infrastructure for keeping up with attackers.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.