Thank you! Cheers!

At one point, I will probably create a video series on using Duende to protect .NET applications. Also, I have a book Mastering ASP.NET Core security where this is explained in detail, it is also part of the Web API premium edition.

Hi. Well, I wouldn't say "don't ask me again" this is not secure. Some pause of a week or two is ok, but some sites are not even considering that, they will ask you for the OTP confirmation every time. Anyway, on top of my had, you should include that as part of the login request in the DTO then store in db the date when user opted for it and mabe also a flag whether the user checked that check-box. Then, in the code when you check if a user has a 2FA enabled, and if they do, you can provide additional check to see if they selected not to opt in for OTP again for some time and check the current date vs the date they opted for that option. If it is greater than, I don't know a week, you can ask for OTP again, otherwise you don't have to do it. Now, as I said, this is just on top of my head, but I think it can be done that way.

Yes. Overal it is the same implementation for any ASP.NET Core project template. I don't think you will be able to copy paste the solution, but again, this video should provide enough information for you to implement the same in the MVC project.

@@CodeMaze Thank you :)

One single point, higher security and proving the identity of the user by verifying the OTP issued by the API.

@@CodeMaze but if it is automation there wouldn't be a way for that machine to retrieve the code right? Am I missing something here?

Ah, I see now what you mean. Yeah, this is mainly implementation for the client apps that consume our API. Like Blazor Wasm, Angular, React, any type of UI client. There, you have a live user to verify the identity either via email code or the sms code (if implemented). If you have a public API, the implementation should be different, if implemented at all.

Great! How can I set up this token will be valid for let's say 10 minutes! Then the token expires and send a message to User the token has been expired?

Hi. Maybe you can try something like I did in this article: code-maze.com/email-confirmation-aspnet-core-identity/ under the Modifying Lifespan of the Email Token section. Then in the business logic, you can handle it.