refresh content

GitHubber17 · GitHubber17 · commit b3223a8d1f70 · 2026-05-14T12:54:32.000-07:00
diff --git a/aspnetcore/includes/managed-identities-conn-strings.md b/aspnetcore/includes/managed-identities-conn-strings.md
@@ -1,8 +1,10 @@
 ---
 author: tdykstra
 ms.author: tdykstra
-ms.date: 10/16/2024
+ms.date: 05/14/2026
 ms.topic: include
 ---
 > [!WARNING]
-> This article shows the use of connection strings. When using a local database for development and testing, database user authentication via the connection string isn't required. In production environments, connection strings sometimes include a password to authenticate database access or database operations. A resource owner password credential (ROPC) in a connection string is a security risk to avoid in production apps. Production apps should use the most secure authentication flow available. For more information on authentication for apps deployed to test or production environments, see <xref:security/index#secure-authentication-flows>.
+> This article shows the use of connection strings. When a local database is used for development and testing, database user authentication via the connection string isn't required.
+> In production environments, connection strings sometimes include a password for authenticating database access or database operations. A resource owner password credential (ROPC) in a connection string is a security risk that should be avoided in production apps. Production apps should use the most secure authentication flow available.
+> For more information on authentication for apps deployed to test or production environments, see <xref:security/index#secure-authentication-flows>.
diff --git a/aspnetcore/security/authentication/identity-enable-qrcodes.md b/aspnetcore/security/authentication/identity-enable-qrcodes.md
@@ -1,13 +1,15 @@
 ---
-title: Enable QR code generation for TOTP authenticator apps in ASP.NET Core
+title: Enable QR code generation for TOTP authentication
 ai-usage: ai-assisted
 author: wadepickett
-description: Discover how to enable QR code generation for TOTP authenticator apps that work with ASP.NET Core two-factor authentication.
+description: Discover how to enable QR code generation for time-based one-time password (TOTP) authenticator apps that work with ASP.NET Core two-factor authentication.
 monikerRange: '>= aspnetcore-2.1'
 ms.author: wpickett
-ms.date: 04/21/2026
+ms.date: 05/14/2026
 ms.reviewer: wpickett
 uid: security/authentication/identity-enable-qrcodes
+
+# customer intent: As an ASP.NET developer, I want to enable QR code generation for TOTP authenticator apps, so I can support two-factor authentication.
 ---
 
 # Enable QR code generation for TOTP authenticator apps in ASP.NET Core
@@ -19,7 +21,7 @@ ASP.NET Core includes support for authenticator applications for individual auth
 - An authenticator app provides a 6 to 8 digit code that users enter after confirming their username and password.
 - Typically, users install an authenticator app on a smartphone.
 
-> [!WARNING]
+> [!IMPORTANT]
 > Keep an ASP.NET Core TOTP code secret because it can be used to authenticate successfully multiple times before it expires.
 
 :::moniker range=">= aspnetcore-8.0"
@@ -37,56 +39,59 @@ The ASP.NET Core web app templates support authenticators but don't provide supp
 
 :::moniker-end
 
-Two-factor authentication doesn't happen by using an external authentication provider, such as [Google](xref:security/authentication/google-logins) or [Facebook](xref:security/authentication/facebook-logins). External logins are protected by whatever mechanism the external login provider provides. For example, the [Microsoft](xref:security/authentication/microsoft-logins) authentication provider requires a hardware key or another 2FA approach. If the default templates required 2FA for both the web app and the external authentication provider, users would need to satisfy two 2FA approaches. Requiring two 2FA approaches deviates from established security practices, which typically rely on a single, strong 2FA method for authentication.
+Two-factor authentication doesn't happen by using an external authentication provider, such as [Google](xref:security/authentication/google-logins) or [Facebook](xref:security/authentication/facebook-logins). External sign ins are protected by whatever mechanism the external sign-in provider supports. For example, the [Microsoft](xref:security/authentication/microsoft-logins) authentication provider requires a hardware key or another 2FA approach. If the default templates required 2FA for both the web app and the external authentication provider, users need to satisfy two 2FA approaches. Requiring two 2FA approaches deviates from established security practices, which typically rely on a single, strong 2FA method for authentication.
 
-## Adding QR codes to the 2FA configuration page
+## Add QR codes to the 2FA configuration page
 
-These instructions use `qrcode.js` from the [https://davidshimjs.github.io/qrcodejs/](https://davidshimjs.github.io/qrcodejs/) repo.
+The following instructions use the _qrcode.js_ file from the [https://davidshimjs.github.io/qrcodejs/](https://davidshimjs.github.io/qrcodejs/) repo.
 
-* Download the [`qrcode.js` JavaScript library](https://davidshimjs.github.io/qrcodejs/) to the `wwwroot\lib` folder in your project.
-* Follow the instructions in [Scaffold Identity](xref:security/authentication/scaffold-identity) to generate `/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml`.
-* In `/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml`, locate the `Scripts` section at the end of the file:
+1. Download the ['qrcode.js' JavaScript library](https://davidshimjs.github.io/qrcodejs/) to the _wwwroot\lib_ folder in your project.
 
-```cshtml
-@section Scripts {
-    <partial name="_ValidationScriptsPartial" />
-}
-```
-* Create a new JavaScript file called `qr.js` in `wwwroot/js` and add the following code to generate the QR code:
-
-```javascript
-window.addEventListener("load", () => {
-  const uri = document.getElementById("qrCodeData").getAttribute('data-url');
-  new QRCode(document.getElementById("qrCode"),
-    {
-      text: uri,
-      width: 150,
-      height: 150
-    });
-});
-```
+1. Follow the instructions in [Scaffold Identity](xref:security/authentication/scaffold-identity) to generate the _/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml_ file.
 
-* Update the `Scripts` section to add a reference to the `qrcode.js` library you previously downloaded.
-* Add the `qr.js` file with the call to generate the QR code:
+1. In the _/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml_ file, locate the `Scripts` section at the end of the file:
 
-```cshtml
-@section Scripts {
-    <partial name="_ValidationScriptsPartial" />
+   ```cshtml
+   @section Scripts {
+      <partial name="_ValidationScriptsPartial" />
+   }
+   ```
 
-    <script type="text/javascript" src="~/lib/qrcode.js"></script>
-    <script type="text/javascript" src="~/js/qr.js"></script>
-}
-```
+1. Create a new JavaScript file named _qr.js_ in the _wwwroot/js_ folder, and add the following code that generates the QR code:
 
-* Delete the paragraph that links you to these instructions.
+   ```javascript
+   window.addEventListener("load", () => {
+   const uri = document.getElementById("qrCodeData").getAttribute('data-url');
+   new QRCode(document.getElementById("qrCode"),
+      {
+         text: uri,
+         width: 150,
+         height: 150
+      });
+   });
+   ```
 
-Run your app and ensure that you can scan the QR code and validate the code the authenticator provides.
+1. Update the `Scripts` section to add a reference to the `qrcode.js` library you previously downloaded.
+
+1. Add the _qr.js_ file with the call that generates the QR code:
+
+   ```cshtml
+   @section Scripts {
+      <partial name="_ValidationScriptsPartial" />
+      <script type="text/javascript" src="~/lib/qrcode.js"></script>
+      <script type="text/javascript" src="~/js/qr.js"></script>
+   }
+   ```
+
+1. Delete the paragraph that links you to these instructions.
+
+1. Run your app. Confirm you can scan the QR code and validate the code the authenticator provides.
 
 ## Change the site name in the QR code
 
-The site name in the QR code comes from the project name you choose when initially creating your project. You can change it by looking for the `GenerateQrCodeUri(string email, string unformattedKey)` method in the `/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs`.
+The site name in the QR code comes from the project name you select when you create your project. You can change it by looking for the `GenerateQrCodeUri(string email, string unformattedKey)` method in the _/Areas/Identity/Pages/Account/Manage/EnableAuthenticator.cshtml.cs_ file.
 
-The default code from the template looks as follows:
+Here's the default code from the template:
 
 ```csharp
 private string GenerateQrCodeUri(string email, string unformattedKey)
@@ -99,17 +104,22 @@ private string GenerateQrCodeUri(string email, string unformattedKey)
 }
 ```
 
-The second parameter in the call to `string.Format` is your site name, taken from your solution name. You can change it to any value, but it must always be URL encoded.
+The second parameter in the call to `string.Format` is your site name, which is obtained from your solution name. You can change it to any value, but it must always be URL encoded.
 
-## Using a different QR code library
+## Use a different QR code library
 
 You can replace the QR code library with your preferred library. The HTML contains a `qrCode` element into which you can place a QR code by whatever mechanism your library provides.
 
-You can find the correctly formatted URL for the QR code in the:
+You can find the correctly formatted URL for the QR code in the following locations:
+
+* `AuthenticatorUri` property of the model
+* `data-url` property in the `qrCodeData` element
+
+## Check TOTP client and server times
 
-* `AuthenticatorUri` property of the model.
-* `data-url` property in the `qrCodeData` element.
+TOTP (Time-based One-Time Password) authentication depends on both the server and authenticator device having an accurate time. Tokens only last for 30 seconds. If TOTP 2FA sign-in fails, confirm the server time is accurate, and preferably synchronized to an accurate NTP service.
 
-## TOTP client and server time skew
+## Related content
 
-TOTP (Time-based One-Time Password) authentication depends on both the server and authenticator device having an accurate time. Tokens only last for 30 seconds. If TOTP 2FA logins fail, check that the server time is accurate, and preferably synchronized to an accurate NTP service.
+- <xref:blazor/security/qrcodes-for-authenticator-apps>
+- <xref:blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps>
diff --git a/aspnetcore/security/data-protection/consumer-apis/password-hashing.md b/aspnetcore/security/data-protection/consumer-apis/password-hashing.md
@@ -13,13 +13,19 @@ uid: security/data-protection/consumer-apis/password-hashing
 
 This article shows how to call the [KeyDerivation.Pbkdf2](/dotnet/api/microsoft.aspnetcore.cryptography.keyderivation.keyderivation.pbkdf2) method, which allows hashing a password with the PBKDF2 algorithm, as described in [RFC 2898, Section 5.2](https://datatracker.ietf.org/doc/html/rfc2898#section-5.2).
 
+The `KeyDerivation.Pbkdf2` API is a low-level cryptographic primitive. The intended use is for integrating apps into an existing protocol or cryptographic system.
+
 > [!WARNING]
-> The `KeyDerivation.Pbkdf2` API is a low-level cryptographic primitive. The intended use is for integrating apps into an existing protocol or cryptographic system. `KeyDerivation.Pbkdf2` shouldn't be used in new apps that support password-based sign in and which need to store hashed passwords in a datastore. New apps should use the [PasswordHasher](/dotnet/api/microsoft.aspnetcore.identity.passwordhasher-1) class. For more information, see [Exploring the ASP.NET Core Identity PasswordHasher](https://andrewlock.net/exploring-the-asp-net-core-identity-passwordhasher/).
+> `KeyDerivation.Pbkdf2` shouldn't be used in new apps that support password-based sign in and which need to store hashed passwords in a datastore. New apps should use the [PasswordHasher](/dotnet/api/microsoft.aspnetcore.identity.passwordhasher-1) class. For more information, see [Exploring the ASP.NET Core Identity PasswordHasher](https://andrewlock.net/exploring-the-asp-net-core-identity-passwordhasher/).
 
 The data protection code base includes a NuGet package [Microsoft.AspNetCore.Cryptography.KeyDerivation](https://www.nuget.org/packages/Microsoft.AspNetCore.Cryptography.KeyDerivation/) that contains cryptographic key derivation functions. This package is a standalone component and has no dependencies on the rest of the data protection system. The package can be used independently. The source exists alongside the data protection code base as a convenience.
 
+## Generate key with 'KeyDerivation.Pbkdf2'
+
+The following code shows how to use the `KeyDerivation.Pbkdf2` method to generate a shared secret key. 
+
 > [!WARNING]
-> The following code shows how to use `KeyDerivation.Pbkdf2` to generate a shared secret key. It shouldn't be used to hash a password for storage in a datastore.
+> Don't call the `KeyDerivation.Pbkdf2` method to hash a password for storage in a datastore.
 
 <!-- See https://github.com/dotnet/AspNetCore.Docs/pull/26253#issuecomment-1187984822 for detailed reasoning -->
 
