This and the next chapter look at managing users within a Razor Pages application. They look at two closely related topics: authentication and authorization. Authentication is the process of identifying who your user is. Authorization is part of the process of securing your application by limiting your user’s access to only those parts of the application they are allowed to access.
This chapter concentrates on the nature of a user and how you can authenticate their identity, or ensure they are who they claim to be. Authentication is hard to get right. From a practical point of view, you need to provide mechanisms to capture and store a user’s personal information, including something only they know, such as a password. Then you need to be able to remember the user on subsequent visits. Your application might also require you to use a secondary authentication mechanism, two-factor authentication (2FA), like a code sent by SMS. You might need to provide the user with features to reset their password if they have forgotten it or manage their profile information. What about verifying email addresses? Or managing account lockouts in the event of repeated incorrect attempts to log in? And you need to do all of this in a cryptographically secure manner.