What good is a TimeOTP client if you don’t have anything to use it with? Last week i have implemented a MembershipProvider that uses Time-based One-Time Password to validate the user credentials. Basically, it is a wrapper around an existing MembershipProvider, you get to choose which one via the providerType attribute in the configuration, and requires that it can access the password of users. Here is an example configuration that relies on the SqlMembershipProvider

<?xml version="1.0"?>
		<add name="MyDatabase" connectionString="xxxxx" providerName="System.Data.SqlClient"/>
		<membership defaultProvider="OTPMembershipProvider"> <providers> <add connectionStringName="MyDatabase" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/DemoOTP" requiresUniqueEmail="false" passwordFormat="Clear" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="OTPMembershipProvider" type="Be.Timvw.Framework.Web.Security.OneTimePasswordMembershipProvider, Be.Timvw.Framework.Web" providerType="System.Web.Security.SqlMembershipProvider, System.Web" /> </providers> </membership>
		<authentication mode="Forms" />
			<allow users="timvw"/>
			<deny users="*"/>

While i was writing unittests i ran into a couple of issues

  • NMock seemingly only works with interfaces so i had to rip out an interface out of the abstract base class and wrap that in a MockMembershipProvider.
  • Settings expectations for output parameters can be achieved with a SetNameParameterAction as described here.

Anyway, you can find the implementation of the MembershipProvider in BeTimvwFramework and download the demo webapplication.