Generic selectors
Exact matches only
Search in title
Search in content


Two-Factor Authentication with SecSign ID

Use SecSign ID ASP.NET two factor authentication on your ASP.NET project with an easy and highly secure user login using iOS or Android mobile devices as well as for desktop use.

Find out why our Two-Factor Authentication is the best, some key-facts for developers and why you should upgrade to SecSign for your business.

Learn more about the options of on-premise use and your own customized ID App in your corporate design.

Download the plugin as cloud version for a free and convenient protection.

Table of contents

    The SecSign ID API for ASP.NET is written in C#. In the ASP.NET API archive you can find the compiled API in a DLL library as well as the API source code and a brief example. You can find the source code as well as the example also on our GitHub site SecSignID ASP.NET / C# Interface.

    The actual range of the API consists only of two classes with which the two-factor authentication (in short 2FA) can be realized:

    The class includes all functions for requesting a so-called authentication session

    AuthSession: This class includes all information of a so-called authentication session (in short AuthSession)

    Questions? Feel free to get in touch with us if you need help setting up your SecSign ID plugin or to request a plugin for a not yet supported environment.

    1. Integration of a 2FA with SecSign ID ASP.NET / C# API

    ASP.NET (Active Server Pages .NET) is a procedure on server side which is based on .NET Framework and was developed by Microsoft. The .NET Framework is a software platform by Microsoft for development as well as for the execution of programs. It contains a run time environment (Common Language Runtime) as well as class libraries, programming interfaces and utilities. .NET Framework includes several languages which are in a first step translated into an intermediate language (the so-called Common Intermediate Language, in short CIL) and are later on compiled with a just-in-time compiler in the .NET runtime environment to the correct target platform.

    Languages belonging to .NET Framework are, among others, C# (C-Sharp), F#, (F-Sharp), J# (J-Sharp) and VB.NET. Additionally, there are implemented functional and logical languages like Fortran. Lisp und Prolog which, however, are not subect of this tutorial.
    A complete list of all languages as well as their implementation in .NET Framework can be found on Wikipedia.

    Another advantage of .NET Framework is the extensive class library which provides comprehensive functionalities and access to system functions.

    Let’s start

    After downloading and unzipping the archive the project of the example ‘WebExample’ can be used.

    For Windows you can use Visual Studio, for Linux or MacOSX you can use Xamarin (Mono). You might have to add the library, respectively insert ‘SecSignIDAPI.cs’ as reference.

    Visual Studio

    In the Solution Explorer of Visual Studio you can see the example project ‘WebExample’ and the included references. The reference SecSignIDApi might be marked with a yellow exclamation mark because the DII could not be found. In this case you can delete the reference. Then you can add new references with a right mouse click on ‘References’ .

    References > Add ReferenceIn the dialogue you switch to the tab ‘Browse’.

    You should now be in the directory of the WebExample. Please select the directory above, respectively the directory in which the DII from the zip-archive is located. Please select this directory and confirm with OK’

    You can of course also simply add the ‘SecSignIDApi.cs’ as file to the project, for example with a right mouse click on the project:

    WebExample > Add > Existing Item

    In the dialogue you can then add ‘SecSignIDApi.cs’ in the directory above.

    Please see the Microsoft howto.

    Xamarin (Mono Framework)

    How to add a reference in Xamarin:

    1. Right click (respectively CTRL+ left click) in the left sidebar of the project folder on the references of the project.
    2. Then, please select edit references. Under the tab ‘.NET-Assembly’ you can select via ‘Search’ the DII which is enclosed in the archive.

    Another option is to simply include the file ‘SecSignIDAPI.cs’.

    2. Communication with the ID-Authentication Server

    Communication with the ID-authentication server, in short ID-server, takes place through the class ‘System.Net.WebRequest’. With this request URL-coded lists of parameters are sent to the ID-server.

    System.Net.WebRequest request = System.Net.WebRequest.Create(this.secSignIDServer + ":" + this.secSignIDServerPort);
    request.Method = "POST";
    request.ContentType = "application/x-www-form-urlencoded";
    request.ContentLength = requestData.Length;
    // send data
    System.IO.Stream requestStream = request.GetRequestStream();
    requestStream.Write(requestData, 0, requestData.Length);
    //The reply of the server is also present in URL-coded format:
    // get response
    System.Net.WebResponse response = request.GetResponse();
    // get data from response
    System.IO.Stream responseStream = response.GetResponseStream();
    System.IO.StreamReader reader = new StreamReader(responseStream);
    string responseString = reader.ReadToEnd();
    Dictionary responseDict = new Dictionary();
    string[] responseValues = responseString.Split('&');
    foreach(string value in responseValues)
    if(value != null && !value.Equals(""))
    string[] valuePair = value.Split('=');
    responseDict.Add(valuePair[0], valuePair[1]);

    On the public ID-server only this communication type is used. The SecSign Routing server, which is installed in front of the public server, prevents any other requests. With an on-premise installation, however, other ways of communication like, for example, web service and SOAP are possible.

    3. Requesting an authentication session

    The project ‘WebExample’ consists of a ‘Default.aspx‘ behind which a simple website with HTML-form is hidden. The form has primarily only one text field where the SecSign ID can be entered. (In the example a validator – type: RegularExpressionValidator – is indicated additionally in order to verify the SecSign ID before it is sent to the server. However, the details will not be discussed at this point). Because of problems integrating html-snippets the opening and closing tag-characters are replaced by brackets.

    [form runat='server' id='LoginForm']
    		SecSign ID: [input id='secsignid' name='secsignid' type='text' size='30' maxlength='30' runat='server' /]
    		[asp:button name='login' id='login' type='submit' value='1' runat='server' Text='Login'  PostBackUrl="~/SecSignID.aspx"/]

    For requesting a so-called authentication session (AuthSession), the SecSign ID which was entered in the text field is sent to the ID-server. Besides, address, respectively URL of the web application and a name of the web application are sent to the ID-server. The name is shown to the user in a push notification on the smartphone. The URL of the web application is shown on the user´s smartphone after the confirmation of the AuthSession. In the example you can see the form which is sent to the site ~/SecSignID.aspx’. In the class ‘public partial class SecSignID : System.Web.UI.Page’ the method ‘Page_Load’, which checks the current stage of the login, is overwritten. The method is always invoked as soon as the site is loaded. If the example is executed in Xamarin or Visual Studio: http://localhost:8080/web-example/SecSignID.aspx The SecSign ID API must now be integrated into the ASP.NET-site ‘SecSignID.aspx’:

    using SecSignID;

    When sending the SecSign ID to the ASP.NET-site ‘SecSignID.aspx’ the AuthSession is now requested from the ID-server:

    protected void Page_Load(object sender, EventArgs e)
    	if(PreviousPage != null && PreviousPage.IsCrossPagePostBack)
    		// browser did send post request to this page
    		Default sourcePage = (Default) PreviousPage;
    		// get the value of the textfield
    		string secsignString = sourcePage.SecSignID;
    		string serviceName = "ASP.NET example how to use SecSignIDAPI";
    		string serviceUrl = Request.Url.Authority;
    		// request authentication session
    		SecSignIDAPI secSignIDAPI = null;
    		AuthSession authSession = null;
    			secSignIDAPI = new SecSignIDAPI();
    			authSession = secSignIDAPI.RequestAuthSession(secsignidString, serviceName, serviceUrl);
    		catch(System.Exception ex)
    			if(secSignIDAPI != null && authSession != null)
    				// we could get an auth session which has to be canceled now
    			handleError(ex, false);

    If an AuthSession for the transferred SecSign ID can be fetched from the ID-server, the type of the return value is ‘SecSignID.AuthSession’. Otherwise, an exception with an error code and an error message is thrown. (In the example you can find a more exact distinction between System.Exception and System.Net.WebException. The second one is thrown for a connection error, the first one only for an error on the ID-server, e.g. if the indicated SecSign ID does not exist.)

    4. Show access pass to the user and save of the session parameters

    After an authentication session for the transferred SecSign ID could be requested from the ID-server, the returned object (type: ‘SecSignID.AuthSession’) has the following values:

    authSession.GetSecSignID() : the SecSign ID sent to the ID-Server

    authSession.GetAuthSessionID() :
    the ID requested by the authentication session

    authSession.GetRequestID() : the request ID, which is forwarded with all following requests

    authSession.GetRequestingService() : the service name sent to the ID-Server

    authSession.GetRequestingServiceAddress() : the service URL sent to the ID-Server

    authSession.GetIconData() : the access pass as base-64 encoded PNG-picture data

    The so-called access symbol, the base64-encoded PNG graphic, must be shown to the user who wants to log in. The same graphic is sent from the ID-server to the user´s smartphone on which the user accepts the authentication after comparison of the graphic.

    Also, the other values of the AuthSession should be stored as they will be partly needed later on, for example to request the state of the AuthSession on the ID-server (e.g. whether the user has already accepted the AuthSession or not).

    In the example the data from the AuthSession object are stored in hidden HTML fields. It is also possible to store them in a temporary session on the web server or in a database. In the example the data are stored on the ASP.NET-site ‘SecSignID.aspx’ as any post of a form is sent to this page until the end of the login.

    // set all values
    this.secsignid.Value         = authSession.GetSecSignID();
    this.authsessionid.Value    = authSession.GetAuthSessionID();
    this.requestid.Value           = authSession.GetRequestID();
    this.servicename.Value       = authSession.GetRequestingService();
    this.serviceaddress.Value   = authSession.GetRequestingServiceAddress();
    this.authsessionicondata.Value   = authSession.GetRequestingServiceAddress();
    this.authSessionIconDisplay.Src = "data:image/png;base64," + authSession.GetIconData();
    this.authSessionIconDisplay.Alt = "SecSign ID Access Pass Icon";

    The form in ‘SecSignID.aspx’:

    [form id='CheckAuthSessionForm' runat='server']
    	[asp:Label id='lblMessage' runat='server'/]
    	[asp:HiddenField id='requestid' value='' runat='server'/]
    	[asp:HiddenField id='secsignid' value='' runat='server'/]
    	[asp:HiddenField id='authsessionid' value='' runat='server'/]
    	[asp:HiddenField id='servicename' value='' runat='server'/]
    	[asp:HiddenField id='serviceaddress' value='' runat='server'/]
    	[asp:HiddenField id='authsessionicondata' value='' runat='server'/]
    	[table][tr][td colspan='2']
    				Please verify the access pass using your smartphone:[br/]
    		[/td][/tr][tr][td colspan='2']
    				[img id='authSessionIconDisplay' src="" runat='server' /]
    			[td align='left']
    				[asp:button type ='submit' name='cancelauthsession' id='cancelauthsession' value='1' style='width:100px' runat='server' Text='Cancel' /]
    			[/td][td align='right']
    				[asp:button type ='submit' name='checkauthsession' id='checkauthsession' value='1' style='width:100px' runat='server' Text='OK' /]

    In the form you can also find the two buttons for verifying or canceling the AuthSession. The distinction between the two takes place on the server (runat=’server’) and with their ID.

    5. Request the state of the session

    An AuthSession can have different states:

    Pending: The AuthSession was requested but was neither confirmed nor rejected, etc.

    Expired: The AuthSession has expired (timeout after 2 minutes)

    Accepted: The AuthSession has been accepted by the user on the user´s smartphone

    Denied: The AuthSession has been rejected by the user on the user´s smartphone

    Suspended: The ID-Server has canceled the AuthSession, for example, because the user started several login attempts at the same time

    Canceled: The user canceled the complete login process on the website

    Fetched: The user has the access pass already on the smartphone but has not confirmed the AuthSession yet

    For requesting the status of the AuthSession you use the method ‘GetAuthSessionState’. For this SecSign ID, request ID and AuthSession ID must be sent to the ID-server.

    In the example this verification takes again place on the ASP.NET-site ‘SecSignID.aspx’, as the button of the above form sends the form data to this site:

    protected void Page_Load(object sender, EventArgs e)
    		// form was sent back to server.
    		if (!string.IsNullOrEmpty(form["checkauthsession"]))
    			int authSessionState = AuthSession.NOSTATE;
    				NameValueCollection form = Request.Form; // get form which has send the request
    AuthSession authSession = new AuthSession(form["secsignid"],
    form["requestid"], null,null, null);
    SecSignIDAPI secSignIDAPI = new SecSignIDAPI();
    // check authsession state
    authSessionState = secSignIDAPI.GetAuthSessionState(authSession);
    if(authSessionState == AuthSession.ACCEPTED){
    Response.Redirect("Intern.aspx?secsignid=" + authSession.GetSecSignID());
    else if(authSessionState == AuthSession.PENDING || authSessionState == AuthSession.FETCHED){
    this.lblMessage.Text = "the auth session is still pending... it has neither be accepted nor denied.";
    if(authSessionState == AuthSession.DENIED){
    Response.Write("You have denied the auth session...");
    // render previous page
    if(PreviousPage != null){
    } else {
    catch(System.Exception ex)
    handleError(ex, false);

    6. React to the session status

    In the above example you can see the reaction to the AuthSession status which was sent by the ID-server: If the status is ‘PENDING’ or ‘FETCHED’ (as soon as the user has started the confirmation process on the smartphone, the session status on the ID-server will switch from ‘PENDING’ to ‘FETCHED’. Only if the user then selects the correct access symbol on the smartphone, the status will change again.), the user has neither accepted nor rejected the session, respectively AuthSession.

    In the example the user is notified and the access symbol is still shown to the user. If the status is, for example, ‘DENIED’ or ‘CANCELED‘, the login process has either been canceled or the user has rejected the access symbol on the smartphone. In this case there will be an automatic return to the homepage. If you integrate the ASP.NET API into your own project, you will be able to decide how to handle this internally and if you, for example, show specific pages or record this. This means for the login procedure that the user is not logged in on the website. If the AuthSession status is ‘ACCEPTED’, the user has accepted the access symbol and thus the session on the smartphone. The AuthSession gets this status only if the user has selected the correct access symbol on the smartphone after comparing the four symbols on the smartphone with the symbol on the website. In the example an ASP.NET-site ‘Intern.aspx’ is shown.

    For the login this means that the user authentication was successful. Depending on the present system or CMS the CMS user can be found out through the SecSign ID and can be logged into the system. Thus, if you integrate the ASP.NET API into your project, the following might happen: If you have a CMS system with an own user administration in which one SecSign ID is assigned to each user, the CMS user for the SecSign ID might be requested now and will be afterwards logged into CMS. Depending on the CMS this is done with session cookies like, for example, for WordPress or Joomla, or by the storage of registered users in a database. Thus, in your project (where the AuthSession status is ‘ACCEPTED’) a defined user can be registered by you, or a status can be defined.

    Depending on the project, this way actions can be started as well, depending on whether the user has the required rights. Thus, SecSign ID API does not only provide you with a two-factor authentication but also with the option that in a complex system the start of services or, more generally, any action depends on another user confirmation. The user who wants to start a service authenticates with the SecSign ID and the smartphone so that the system can use this to verify, if the user has the required rights, and can afterwards perform the action. The authentication, thus, initiates the start of services.

    7. Cancellation of the session

    On client side the AuthSession can be canceled with the method ‘CancelAuthSession’ Please see again the example of ‘SecSignIDAPI.aspx’:

    protected void Page_Load(object sender, EventArgs e)
    		// get post data and decide whether go back when cancel has been clicked or to check authsession
    		NameValueCollection form = Request.Form;
    		if (!string.IsNullOrEmpty(form["cancelauthsession"]))
    				NameValueCollection form = Request.Form; // get form which has send the request
    				AuthSession authSession = new AuthSession(form["secsignid"], form["authsessionid"], form["requestid"], null, null, null);
    				SecSignIDAPI secSignIDAPI = new SecSignIDAPI();
    				// cancel auth session
    				// render previous page
    				if(PreviousPage != null){
    				} else {
    			catch(System.Exception ex)
    				handleError(ex, false);

    8. Integration into different languages of the .NET Frameworks

    With the SecSign ID ASP.NET plugin a two-factor authentication can be easily realized for ASP.NET-sites. Of course, it is also possible to have a two-step authentication for a web service by operating the SecSign ID either in before or after it.

    The exact difference between two-factor authentication and two-step authentication is subject of this blog post. However, the API is not specifically written for ASP.NET, but in C#. By this, it is possible to integrate API and two-factor authentication into any project which is based on the NET Framework. As all required methods are available in C#-API (also for the communication with the ID-server) you only have to integrate the API ‘SecSignIDAPI.cs’. Also, it is possible to, for example, integrate the compiled C#-library into VB.NET-projects. Examples how to integrate libraries using a different language can be found, for example, on Microsofts howto. In order to use the C#-class in VB.NET you only have to add it in Visual Studio as reference to the VB.NET-project. The SecSign ID C# API is compiled ‘CLS compliant’.

    Minimum requirement is .NET (respectively Mono) Version 3.5 so that the library can also be used in projects using .NET Framework 4.0 or 4.5. In order to use the integrated .NET Dll you can either use the key word ‘new’ or generate a new instance through ‘CreateObject’:

    Public Function requestAuthSession() As SecSignID.AuthSession
    	Dim secsignString As String = "leonie"
    	Dim serviceName As String = "VB.NET example";
    	Dim serviceUrl As String = "localhost"
    	// request authentication session
    	Dim authSession as SecSignID.AuthSession
    	Dim objSecSignID As SecSignID.SecSignIDAPI
    	Set objSecSignID = New SecSignID.SecSignIDAPI
    	authSession = objSecSignID.RequestAuthSession(secsignidString, serviceName, serviceUrl)
       Return authSession;
    End Function

    Or, instead of using

    Dim objSecSignID As SecSignID.SecSignIDAPI
    Set objSecSignID = New SecSignID.SecSignIDAPI

    you could use (as mentioned above) the ‘CreateObject’-Notation:

    Dim objSecSignID As SecSignID.SecSignIDAPI
    Set objSecSignID = CreateObject("SecSignID.SecSignIDAPI")

    9. Available APIS

    We provide an ever growing list of APIs and plugins to easily integrate the SecSign ID Two-Factor Authentication in any project. An overview is available at Plugin and APIs.
    We do not only offer APIs in different programming languages but also plugins for CMS, Server and VPN environments, oAuth2 and many more. These plugins use our APIs and offer additional functionalities, for example user management, easy and native installation, logging or integration in firewalls or Active Directory.

    The JIRA plugin for example uses the JAVA-API. The PHP-Api and JS-API is used by WordPress, Joomla, Drupal, Typo3 and many more. The is used for the Windows and Cisco VPN and the C-API is used for protecting Unix SSH services. The Objective-C API is used by our AppleTV and iPhone/iPad apps.


    10. See for yourself

    You can experience the SecSign ID two-factor authentication and the two-factor login by simply integrating the plugin into your website or test environment. Or you can try out the login process on our website without having to register first. You already have a SecSign ID or you want one? Login now and use the portal or use our hassle free registration.

    See for yourself how fast and convenient the login process using challenge-response authentication with 2048-bit key pairs is. There is no need for passwords, and no passwords or other confidential information are ever transmitted. It is easy to integrate and simple to use.

    For more information about the patented SafeKey procedure and it's unique security can be found here.

    If you are missing an API for the programming language you are working with, feel free to contact us and we’ll find a solution with you. If you need help with the integration into an existing system or you can’t find the plugin for your content management system you are working with, don’t hesitate to contact our support team.

    Your own ID-Server

    On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.


    Why upgrade to SecSign?

    On-premise or in the cloud

    Choose between our SecSign ID Cloud or operate your own on-premise Two-Factor Authentication server.

    Easy customization

    Operate your own YourBrand ID app - Two-Factor Authentication customized to your needs.

    Ready-to-use SDK

    Integrate SecSign ID Two-Factor Authentication in existing apps with our ready-to-use SDK.

    Easy user management

    Use the Two-Factor Authentication Server to secure your company Active Directory/LDAP. Your own Identity and Access Management System, for example for mandatory updates and additional security features.

    Cover all logins

    Integration in any login environment: web, local, VPN, remote desktop, mobile logins and many more.

    Plugins for all your needs

    No need for complex integration: we have plugins for almost all environments.

    SecSign 2FA