From df05640ddd447874cc52a9408979363409010acd Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 20 Nov 2024 15:31:06 -0500
Subject: [PATCH 01/25] 2FA/TOTP coverage for WASM+Identity

---
 ...ount-confirmation-and-password-recovery.md |   2 +
 .../qrcodes-for-authenticator-apps.md         | 893 ++++++++++++++++++
 aspnetcore/toc.yml                            |   4 +-
 3 files changed, 898 insertions(+), 1 deletion(-)
 create mode 100644 aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
index 729507bb94ae..2a67461ca129 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
@@ -9,6 +9,8 @@ uid: blazor/security/webassembly/standalone-with-identity/account-confirmation-a
 ---
 # Account confirmation and password recovery in ASP.NET Core Blazor WebAssembly with ASP.NET Core Identity
 
+[!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
+
 This article explains how to configure an ASP.NET Core Blazor WebAssembly app with ASP.NET Core Identity with email confirmation and password recovery.
 
 > [!NOTE]
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
new file mode 100644
index 000000000000..cbdaf7f15d23
--- /dev/null
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -0,0 +1,893 @@
+---
+title: Enable QR code generation for TOTP authenticator apps in ASP.NET Core Blazor WebAssembly with ASP.NET Core Identity
+author: guardrex
+description: Learn how to configure an ASP.NET Core Blazor WebAssembly app with Identity for QR code generation with TOTP authenticator app.
+ms.author: riande
+monikerRange: '>= aspnetcore-8.0'
+ms.date: 11/20/2024
+uid: blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps
+---
+# Enable QR code generation for TOTP authenticator apps in ASP.NET Core Blazor WebAssembly with ASP.NET Core Identity
+
+[!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
+
+This article explains how to configure an ASP.NET Core Blazor WebAssembly app with Identity for QR code generation with TOTP authenticator app.
+
+> [!NOTE]
+> This article only applies standalone Blazor WebAssembly apps with ASP.NET Core Identity. To implement QR code generation for Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>.
+
+For an introduction to two-factor authentication (2FA) with authenticator apps using a Time-based One-time Password Algorithm (TOTP), see <xref:security/authentication/identity-enable-qrcodes>.
+
+> [!WARNING]
+> An ASP.NET Core TOTP code should be kept secret because it can be used to authenticate successfully multiple times before it expires.
+
+## Two-factor/TOTP processing
+
+... EXPLAIN API BASICS HERE ...
+
+## Namespace
+
+The namespaces used by the examples in this article are:
+
+* `Backend` for the backend server web API project ("server project" in this article).
+* `BlazorWasmAuth` for the front-end client standalone Blazor WebAssembly app ("client project" in this article).
+
+These namespaces correspond to the projects in the `BlazorWebAssemblyStandaloneWithIdentity` sample solution in the [`dotnet/blazor-samples` GitHub repository](https://github.com/dotnet/blazor-samples). For more information, see <xref:blazor/security/webassembly/standalone-with-identity/index#sample-apps>.
+
+If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample solution, change the namespaces in the code examples to use the namespaces of your projects.
+
+**All of the changes to the app covered by this article outside of the *Configure account confirmation and password recovery* section take place in the `BlazorWasmAuth` project.**
+
+## Configure account confirmation and password recovery
+
+Follow the guidance in <xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery> to establish account confirmation and password recovery features:
+
+* [Select and configure an email provider for the server project](xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery#select-and-configure-an-email-provider-for-the-server-project)
+* [Configure a user secret for the provider's security key](xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery#configure-a-user-secret-for-the-providers-security-key)
+* [Implement `IEmailSender` in the server project](xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery#implement-iemailsender-in-the-server-project)
+
+Two-factor authentication doesn't strictly require account confirmation and password recovery features, so you aren't required to adopt the remaining guidance in the cross-linked article.
+
+## Adding QR codes to the app
+
+These instructions use [Shim Sangmin](https://hogangnono.com)'s [qrcode.js: Cross-browser QRCode generator for JavaScript](https://davidshimjs.github.io/qrcodejs/) ([`davidshimjs/qrcodejs` GitHub repository](https://github.com/davidshimjs/qrcodejs)).
+
+Download the [`qrcode.min.js`](https://davidshimjs.github.io/qrcodejs/) library to the `wwwroot` folder of the `BlazorWasmAuth` project. The library has no dependencies.
+
+## Set the TOTP organization name
+
+Set the site name in the app settings file of the `BlazorWasmAuth` project. Use a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. Examples: Yahoo, Amazon, Etsy, Microsoft, Zoho. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
+
+In the following example, the the company name is `Weyland-Yutani Corporation` (&copy;1986 20th Century Studios [*Aliens*](https://www.20thcenturystudios.com/movies/aliens)).
+
+Added to `wwwroot/appsettings.json` of the `BlazorWasmAuth` project:
+
+```json
+"TotpOrganizationName": "Weyland-Yutani Corporation"
+```
+
+The file after the configuration key-value are added:
+
+```json
+{
+  "BackendUrl": "https://localhost:7211",
+  "FrontendUrl": "https://localhost:7171",
+  "TotpOrganizationName": "Weyland-Yutani Corporation"
+}
+```
+
+## `TwoFactorResult` model
+
+Add the following `TwoFactorResult` class to the `Models` folder.
+
+`Identity/Models/TwoFactorResult.cs`:
+
+```csharp
+namespace BlazorWasmAuth.Identity.Models
+{
+    /// <summary>
+    /// Response for login and registration.
+    /// </summary>
+    public class TwoFactorResult
+    {
+        /// <summary>
+        /// Gets or sets a value indicating the shared key.
+        /// </summary>
+        public string SharedKey { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Gets or sets a value indicating the number of remaining recovery codes.
+        /// </summary>
+        public int RecoveryCodesLeft { get; set; } = 0;
+
+        /// <summary>
+        /// Gets or sets a value indicating the recovery codes.
+        /// </summary>
+        public string[] RecoveryCodes { get; set; } = [];
+
+        /// <summary>
+        /// Gets or sets a value indicating if two-factor authentication is enabled.
+        /// </summary>
+        public bool IsTwoFactorEnabled { get; set; }
+
+        /// <summary>
+        /// Gets or sets a value indicating if the machine is remembered.
+        /// </summary>
+        public bool IsMachineRemembered { get; set; }
+
+        /// <summary>
+        /// On failure, the problem details are parsed and returned in this array.
+        /// </summary>
+        public string[] ErrorList { get; set; } = [];
+    }
+}
+```
+
+## `IAccountManagement` interface
+
+Add the following class signatures to the `IAccountManagment` interface.
+
+`Identity/IAccountManagement.cs` (paste the following code at the bottom of the interface):
+
+```csharp
+/// <summary>
+/// Login service with two-factor authentication.
+/// </summary>
+/// <param name="email">User's email.</param>
+/// <param name="password">User's password.</param>
+/// <param name="twoFactorCode">User's 2FA code.</param>
+/// <returns>The result of the request serialized to <see cref="FormResult"/>.</returns>
+public Task<FormResult> LoginTwoFactorCodeAsync(
+    string email, 
+    string password, 
+    string twoFactorCode);
+
+/// <summary>
+/// Initial POST request to the two-factor authentication endpoint.
+/// </summary>
+/// <param name="enable">A flag indicating 2FA status.</param>
+/// <param name="twoFactorCode">The two-factor authentication code supplied by the user's 2FA app.</param>
+/// <param name="resetSharedKey">A flag indicating if the shared key should be reset.</param>
+/// <param name="resetRecoveryCodes">A flag indicating if the recovery codes should be reset.</param>
+/// <param name="forgetMachine">A flag indicating if the machine should be forgotten.</param>
+/// <returns>The result serialized to a <see cref="TwoFactorResult"/>.</returns>
+public Task<TwoFactorResult> TwoFactorRequest(
+    bool enable = false, 
+    string twoFactorCode = "", 
+    bool resetSharedKey = false, 
+    bool resetRecoveryCodes = false, 
+    bool forgetMachine = false);
+
+/// <summary>
+/// Login service with two-factor recovery authentication.
+/// </summary>
+/// <param name="email">User's email.</param>
+/// <param name="password">User's password.</param>
+/// <param name="twoFactorRecoveryCode">User's 2FA recovery code.</param>
+/// <returns>The result of the request serialized to <see cref="FormResult"/>.</returns>
+public Task<FormResult> LoginTwoFactorRecoveryCodeAsync(
+    string email, 
+    string password, 
+    string twoFactorRecoveryCode);
+```
+
+## `CookieAuthenticationStateProvider`
+
+Replace the `LoginAsync` method with the following code in `Identity/CookieAuthenticationStateProvider.cs`:
+
+```csharp
+public async Task<FormResult> LoginAsync(string email, string password)
+{
+    try
+    {
+        // login with cookies
+        var result = await httpClient.PostAsJsonAsync(
+            "login?useCookies=true", new
+            {
+                email,
+                password
+            });
+
+        // success?
+        if (result.IsSuccessStatusCode)
+        {
+            // need to refresh auth state
+            NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
+
+            // success!
+            return new FormResult { Succeeded = true };
+        }
+        else if (result.StatusCode == HttpStatusCode.Unauthorized)
+        {
+            var responseJson = await result.Content.ReadAsStringAsync();
+            var response = JsonSerializer.Deserialize<HttpResponseContent>(
+                responseJson, jsonSerializerOptions);
+
+            if (response?.Detail == "RequiresTwoFactor")
+            {
+                return new FormResult
+                {
+                    Succeeded = false,
+                    ErrorList = ["RequiresTwoFactor"]
+                };
+            }
+        }
+    }
+    catch { }
+
+    // unknown error
+    return new FormResult
+    {
+        Succeeded = false,
+        ErrorList = [ "Invalid email and/or password." ]
+    };
+}
+```
+
+Add the following methods and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
+
+```csharp
+/// <summary>
+/// User login with two-factor authentication.
+/// </summary>
+/// <param name="email">The user's email address.</param>
+/// <param name="password">The user's password.</param>
+/// <param name="twoFactorCode">The user's password.</param>
+/// <returns>
+///     The result of the login request serialized to a <see cref="FormResult"/>.
+/// </returns>
+public async Task<FormResult> LoginTwoFactorCodeAsync(
+    string email, string password, string twoFactorCode)
+{
+    try
+    {
+        // login with cookies
+        var result = await httpClient.PostAsJsonAsync(
+            "login?useCookies=true", new
+            {
+                email,
+                password,
+                twoFactorCode
+            });
+
+        // success?
+        if (result.IsSuccessStatusCode)
+        {
+            // need to refresh auth state
+            NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
+
+            // success!
+            return new FormResult { Succeeded = true };
+        }
+    }
+    catch { }
+
+    // unknown error
+    return new FormResult
+    {
+        Succeeded = false,
+        ErrorList = [ "Invalid email, password, or two-factor code."]
+    };
+}
+
+/// <summary>
+/// Initial POST request to the two-factor authentication endpoint.
+/// </summary>
+/// <param name="enable">A flag indicating 2FA status.</param>
+/// <param name="twoFactorCode">
+///     The two-factor authentication code supplied by the user's 2FA app.
+/// </param>
+/// <param name="resetSharedKey">
+///     A flag indicating if the shared key should be reset.
+/// </param>
+/// <param name="resetRecoveryCodes">
+///    A flag indicating if the recovery codes should be reset.
+/// </param>
+/// <param name="forgetMachine">
+///     A flag indicating if the machine should be forgotten.
+/// </param>
+/// <returns>The result serialized to a <see cref="TwoFactorResult"/>.</returns>
+public async Task<TwoFactorResult> TwoFactorRequest(
+    bool enable,
+    string twoFactorCode,
+    bool resetSharedKey,
+    bool resetRecoveryCodes,
+    bool forgetMachine)
+{
+    string[] defaultDetail = 
+        [ "An unknown error prevented two-factor authentication." ];
+
+    try
+    {
+        HttpResponseMessage response;
+
+        if (resetSharedKey)
+        {
+            response = await httpClient.PostAsJsonAsync("manage/2fa", 
+                new { enable, resetSharedKey });
+        }
+        else if (forgetMachine)
+        {
+            response = await httpClient.PostAsJsonAsync("manage/2fa", 
+                new { enable, forgetMachine });
+        }
+        else if (!string.IsNullOrEmpty(twoFactorCode))
+        {
+            response = await httpClient.PostAsJsonAsync("manage/2fa", 
+                new { enable, twoFactorCode });
+        }
+        else
+        {
+            response = await httpClient.PostAsJsonAsync("manage/2fa", 
+                new { });
+        }
+
+        // successful?
+        if (response.IsSuccessStatusCode)
+        {
+            return await response.Content
+                .ReadFromJsonAsync<TwoFactorResult>() ??
+                new()
+                { 
+                    ErrorList = 
+                        [ "There was an error processing the request." ]
+                };
+        }
+
+        // body should contain details about why it failed
+        var details = await response.Content.ReadAsStringAsync();
+        var problemDetails = JsonDocument.Parse(details);
+        var errors = new List<string>();
+        var errorList = problemDetails.RootElement.GetProperty("errors");
+
+        foreach (var errorEntry in errorList.EnumerateObject())
+        {
+            if (errorEntry.Value.ValueKind == JsonValueKind.String)
+            {
+                errors.Add(errorEntry.Value.GetString()!);
+            }
+            else if (errorEntry.Value.ValueKind == JsonValueKind.Array)
+            {
+                errors.AddRange(
+                    errorEntry.Value.EnumerateArray().Select(
+                        e => e.GetString() ?? string.Empty)
+                    .Where(e => !string.IsNullOrEmpty(e)));
+            }
+        }
+
+        // return the error list
+        return new TwoFactorResult
+        {
+            ErrorList = problemDetails == null ? defaultDetail : [.. errors]
+        };
+    }
+    catch { }
+
+    // unknown error
+    return new TwoFactorResult
+    {
+        ErrorList = [ "There was an error processing the request." ]
+    };
+}
+
+/// <summary>
+/// User login with two-factor authentication.
+/// </summary>
+/// <param name="email">The user's email address.</param>
+/// <param name="password">The user's password.</param>
+/// <param name="twoFactorCode">The user's password.</param>
+/// <returns>The result of the login request serialized to a <see cref="FormResult"/>.</returns>
+public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email, 
+    string password, string twoFactorRecoveryCode)
+{
+    try
+    {
+        // login with cookies
+        var result = await httpClient.PostAsJsonAsync(
+            "login?useCookies=true", new
+            {
+                email,
+                password,
+                twoFactorRecoveryCode
+            });
+
+        // success?
+        if (result.IsSuccessStatusCode)
+        {
+            // need to refresh auth state
+            NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
+
+            // success!
+            return new FormResult { Succeeded = true };
+        }
+    }
+    catch { }
+
+    // unknown error
+    return new FormResult
+    {
+        Succeeded = false,
+        ErrorList = [ "Invalid email, password, or two-factor code." ]
+    };
+}
+
+private class HttpResponseContent
+{
+    public string? Type { get; set; }
+    public string? Title { get; set; }
+    public int Status {  get; set; }
+    public string? Detail {  get; set; }
+}
+```
+
+## Replace `Login` component
+
+Replace the `Login` component with the following code.
+
+`Components/Identity/Login.razor`:
+
+```razor
+@page "/login"
+@using System.ComponentModel.DataAnnotations
+@using BlazorWasmAuth.Identity
+@using BlazorWasmAuth.Identity.Models
+@inject IAccountManagement Acct
+@inject ILogger<Login> Logger
+@inject NavigationManager Navigation
+
+<PageTitle>Login</PageTitle>
+
+<h1>Login</h1>
+
+<AuthorizeView>
+    <Authorized>
+        <div class="alert alert-success">
+            You're logged in as @context.User.Identity?.Name.
+        </div>
+    </Authorized>
+    <NotAuthorized>
+        @foreach (var error in formResult.ErrorList)
+        {
+            <div class="alert alert-danger">@error</div>
+        }
+        <div class="row">
+            <div class="col">
+                <section>
+                    <EditForm Model="Input" 
+                              method="post" 
+                              OnValidSubmit="LoginUser" 
+                              FormName="login" 
+                              Context="editform_context">
+                        <DataAnnotationsValidator />
+                        <h2>Use a local account to log in.</h2>
+                        <hr />
+                        <div style="display:@(requiresTwoFactor ? "none" : "block")">
+                            <div class="form-floating mb-3">
+                                <InputText 
+                                    @bind-Value="Input.Email" 
+                                    id="Input.Email" 
+                                    class="form-control" 
+                                    autocomplete="username" 
+                                    aria-required="true" 
+                                    placeholder="name@example.com" />
+                                <label for="Input.Email" class="form-label">
+                                    Email
+                                </label>
+                                <ValidationMessage 
+                                    For="() => Input.Email" 
+                                    class="text-danger" />
+                            </div>
+                            <div class="form-floating mb-3">
+                                <InputText 
+                                    type="password" 
+                                    @bind-Value="Input.Password" 
+                                    id="Input.Password" 
+                                    class="form-control" 
+                                    autocomplete="current-password" 
+                                    aria-required="true" 
+                                    placeholder="password" />
+                                <label for="Input.Password" class="form-label">
+                                    Password
+                                </label>
+                                <ValidationMessage 
+                                    For="() => Input.Password" 
+                                    class="text-danger" />
+                            </div>
+                        </div>
+                        <div style="display:@(requiresTwoFactor ? "block" : "none")">
+                            <div class="form-floating mb-3">
+                                <InputText @bind-Value="Input.TwoFactorCode" 
+                                    id="Input.TwoFactorCode" class="form-control" 
+                                    autocomplete="off" 
+                                    placeholder="123456 or 12345-67890" />
+                                <label for="Input.TwoFactorCode" class="form-label">
+                                    2FA Authenticator code (6 digits) or Recovery 
+                                    Code (#####-#####, dash required)
+                                </label>
+                                <ValidationMessage 
+                                    For="() => Input.TwoFactorCode" 
+                                    class="text-danger" />
+                            </div>
+                        </div>
+                        <div>
+                            <button type="submit" class="w-100 btn btn-lg btn-primary">
+                                Log in
+                            </button>
+                        </div>
+                        <div>
+                            <p>
+                                <a href="forgot-password">Forgot password</a>
+                            </p>
+                            <p>
+                                <a href="register">Register as a new user</a>
+                            </p>
+                        </div>
+                    </EditForm>
+                </section>
+            </div>
+        </div>
+    </NotAuthorized>
+</AuthorizeView>
+
+@code {
+    private FormResult formResult = new();
+    private bool requiresTwoFactor;
+
+    [SupplyParameterFromForm]
+    private InputModel Input { get; set; } = new();
+
+    [SupplyParameterFromQuery]
+    private string? ReturnUrl { get; set; }
+
+    public async Task LoginUser()
+    {
+        if (requiresTwoFactor)
+        {
+            if (!string.IsNullOrEmpty(Input.TwoFactorCode))
+            {
+                if (Input.TwoFactorCode.Length == 6)
+                {
+                    formResult = await Acct.LoginTwoFactorCodeAsync(
+                        Input.Email, Input.Password, Input.TwoFactorCode);
+                }
+                else
+                {
+                    formResult = await Acct.LoginTwoFactorRecoveryCodeAsync(
+                        Input.Email, Input.Password, Input.TwoFactorCode);
+                }
+            }
+        }
+        else
+        {
+            formResult = await Acct.LoginAsync(Input.Email, Input.Password);
+            requiresTwoFactor = formResult.ErrorList.Contains("RequiresTwoFactor");
+            Input.TwoFactorCode = string.Empty;
+            formResult.ErrorList = [];
+        }
+
+        if (formResult.Succeeded && !string.IsNullOrEmpty(ReturnUrl))
+        {
+            Navigation.NavigateTo(ReturnUrl);
+        }
+    }
+
+    private sealed class InputModel
+    {
+        [Required]
+        [EmailAddress]
+        [Display(Name = "Email")]
+        public string Email { get; set; } = string.Empty;
+
+        [Required]
+        [DataType(DataType.Password)]
+        [Display(Name = "Password")]
+        public string Password { get; set; } = string.Empty;
+
+        [Required]
+        [RegularExpression(@"^([0-9]{6})|([A-Z0-9]{5}[-]{1}[A-Z0-9]{5})$", 
+            ErrorMessage = "Must be a six-digit authenticator code (######) or " +
+            "eleven-character alphanumeric recovery code (#####-#####, dash " +
+            "required)")]
+        [Display(Name = "Two-factor code")]
+        public string TwoFactorCode { get; set; } = "123456";
+    }
+}
+```
+
+## Show recovery codes component
+
+Add the following `ShowRecoveryCode` component to the app.
+
+`Components/Identity/ShowRecoveryCodes.razor`:
+
+```razor
+<h3>Recovery codes</h3>
+
+<div class="alert alert-warning" role="alert">
+    <p>
+        <strong>Put these codes in a safe place.</strong>
+    </p>
+    <p>
+        If you lose your device and don't have an unused 
+        recovery code, you can't access your account.
+    </p>
+</div>
+<div class="row">
+    <div class="col-md-12">
+        @foreach (var recoveryCode in RecoveryCodes)
+        {
+            <div>
+                <code class="recovery-code">@recoveryCode</code>
+            </div>
+        }
+    </div>
+</div>
+
+@code {
+    [Parameter]
+    public string[] RecoveryCodes { get; set; } = [];
+}
+```
+
+## Manage 2FA page
+
+Add the following `Manage2fa` component.
+
+`Components/Identity/Manage2fa.razor`:
+
+```razor
+@page "/manage-2fa"
+@using System.ComponentModel.DataAnnotations
+@using System.Globalization
+@using System.Text
+@using System.Text.Encodings.Web
+@using BlazorWasmAuth.Identity
+@using BlazorWasmAuth.Identity.Models
+@attribute [Authorize]
+@implements IAsyncDisposable
+@inject IAccountManagement Acct
+@inject IAuthorizationService AuthorizationService
+@inject IConfiguration Config
+@inject IJSRuntime JS
+@inject ILogger<Manage2fa> Logger
+
+<PageTitle>Manage 2FA</PageTitle>
+
+<h1>Manage Two-factor Authentication</h1>
+<hr />
+<div class="row">
+    <div class="col">
+        @if (twoFactorResult is not null)
+        {
+            if (twoFactorResult.ErrorList.Length > 0)
+            {
+                @foreach (var error in twoFactorResult.ErrorList)
+                {
+                    <div class="alert alert-danger">@error</div>
+                }
+            }
+            else
+            {
+                @if (twoFactorResult.IsTwoFactorEnabled)
+                {
+                    <div class="alert alert-success" role="alert">
+                        Two-factor authentication is enabled for your account.
+                    </div>
+
+                    <button @onclick="Disable2FA" class="btn btn-lg btn-primary">
+                        Disable 2FA
+                    </button>
+
+                    @if (recoveryCodes is null)
+                    {
+                        <button @onclick="NewCodes" class="btn btn-lg btn-primary">
+                            Generate New Recovery Codes
+                        </button>
+                    }
+                    else
+                    {
+                        <ShowRecoveryCodes 
+                            RecoveryCodes="twoFactorResult.RecoveryCodes.ToArray()" />
+                    }
+                }
+                else
+                {
+                    <h3>Configure authenticator app</h3>
+                    <div>
+                        <p>To use an authenticator app:</p>
+                        <ol class="list">
+                            <li>
+                                <p>
+                                    Download a two-factor authenticator app, such 
+                                    as either of the following:
+                                    <ul>
+                                        <li>
+                                            Microsoft Authenticator for
+                                            <a href="https://go.microsoft.com/fwlink/?Linkid=825072">
+                                                Android
+                                            </a> and
+                                            <a href="https://go.microsoft.com/fwlink/?Linkid=825073">
+                                                iOS
+                                            </a>
+                                        </li>
+                                        <li>
+                                            Google Authenticator for
+                                            <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2">
+                                                Android
+                                            </a> and
+                                            <a href="https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8">
+                                                iOS
+                                            </a>
+                                        </li>
+                                    </ul>
+                                </p>
+                            </li>
+                            <li>
+                                <p>
+                                    Scan the QR Code or enter this key 
+                                    <kbd>@twoFactorResult.SharedKey</kbd> into your 
+                                    two factor authenticator app. Spaces and casing 
+                                    don't matter.
+                                </p>
+                                <div id="qrCode"></div>
+                            </li>
+                            <li>
+                                <p>
+                                    Once you have scanned the QR code or input the 
+                                    key above, your two factor authentication app 
+                                    will provide you with a unique code. Enter the 
+                                    code in the confirmation box below.
+                                </p>
+                                <div class="row">
+                                    <div class="col-xl-6">
+                                        <EditForm 
+                                                Model="Input" 
+                                                FormName="send-code" 
+                                                OnValidSubmit="OnValidSubmitAsync" 
+                                                method="post">
+                                            <DataAnnotationsValidator />
+                                            <div class="form-floating mb-3">
+                                                <InputText 
+                                                    @bind-Value="Input.Code" 
+                                                    id="Input.Code" 
+                                                    class="form-control" 
+                                                    autocomplete="off" 
+                                                    placeholder="Enter the code" />
+                                                <label for="Input.Code" class="control-label form-label">
+                                                    Verification Code
+                                                </label>
+                                                <ValidationMessage 
+                                                    For="() => Input.Code" 
+                                                    class="text-danger" />
+                                            </div>
+                                            <button type="submit" class="w-100 btn btn-lg btn-primary">
+                                                Verify
+                                            </button>
+                                        </EditForm>
+                                    </div>
+                                </div>
+                            </li>
+                        </ol>
+                    </div>
+                }
+            }
+        }
+    </div>
+</div>
+
+@code {
+    private IEnumerable<string>? recoveryCodes;
+    private IJSObjectReference? module;
+    private TwoFactorResult twoFactorResult = new();
+
+    [SupplyParameterFromForm]
+    private InputModel Input { get; set; } = new();
+
+    [CascadingParameter]
+    private Task<AuthenticationState>? authenticationState { get; set; }
+
+    protected override async Task OnInitializedAsync()
+    {
+        twoFactorResult = await Acct.TwoFactorRequest();
+    }
+
+    protected override async Task OnAfterRenderAsync(bool firstRender)
+    {
+        if (firstRender)
+        {
+            module = await JS.InvokeAsync<IJSObjectReference>("import",
+                "./Components/Identity/Manage2fa.razor.js");
+
+            //twoFactorResult = await Acct.TwoFactorRequest();
+
+            if (authenticationState is not null)
+            {
+                var authState = await authenticationState;
+                var email = authState?.User?.Identity?.Name!;
+
+                var uri = string.Format(
+                    CultureInfo.InvariantCulture,
+                    "otpauth://totp/{0}:{1}?secret={2}&issuer={0}&digits=6",
+                    UrlEncoder.Default.Encode(Config["TotpOrganizationName"]!),
+                    email,
+                    twoFactorResult.SharedKey);
+
+                await module.InvokeVoidAsync("setQrCode", uri);
+            }
+        }
+    }
+
+    private async Task Disable2FA()
+    {
+        twoFactorResult = await Acct.TwoFactorRequest(resetSharedKey: true);
+    }
+
+    private async Task NewCodes()
+    {
+        twoFactorResult = await Acct.TwoFactorRequest(resetRecoveryCodes: true);
+        recoveryCodes = twoFactorResult.RecoveryCodes;
+    }
+
+    private async Task OnValidSubmitAsync()
+    {
+        twoFactorResult = await Acct.TwoFactorRequest(enable: true, 
+            twoFactorCode: Input.Code);
+        recoveryCodes = twoFactorResult.RecoveryCodes;
+    }
+
+    private sealed class InputModel
+    {
+        [Required]
+        [RegularExpression(@"^([0-9]{6})$", 
+            ErrorMessage = "Must be a six-digit authenticator code (######)")]
+        [DataType(DataType.Text)]
+        [Display(Name = "Verification Code")]
+        public string Code { get; set; } = string.Empty;
+    }
+
+    async ValueTask IAsyncDisposable.DisposeAsync()
+    {
+        if (module is not null)
+        {
+            await module.DisposeAsync();
+        }
+    }
+}
+```
+
+Add the following [collocated JavaScript file](xref:blazor/js-interop/javascript-location#load-a-script-from-an-external-javascript-file-js-collocated-with-a-component).
+
+`Components/Identity/Manage2fa.razor.js`:
+
+```javascript
+export function setQrCode(uri) {
+  new QRCode(document.getElementById('qrCode'), uri);
+}
+```
+
+## Link to the the Manage 2FA page
+
+In the `<Authorized>` content of the `<AuthorizeView>` in `Components/Layout/NavMenu.razor`, add a link to the **Manage 2FA** page:
+
+```razor
+<AuthorizeView>
+    <Authorized>
+
+        ...
+
+        <div class="nav-item px-3">
+            <NavLink class="nav-link" href="manage-2fa">
+                <span class="bi bi-key" aria-hidden="true"></span> Manage 2FA
+            </NavLink>
+        </div>
+
+        ...
+
+    </Authorized>
+</AuthorizeView>
+```
+
+## Additional resources
+
+* [Mandrill.net (GitHub repository)](https://github.com/feinoujc/Mandrill.net)
+* [Mailchimp developer: Transactional API](https://mailchimp.com/developer/transactional/docs/fundamentals/)
diff --git a/aspnetcore/toc.yml b/aspnetcore/toc.yml
index f86c4972e728..f00a0fdba16f 100644
--- a/aspnetcore/toc.yml
+++ b/aspnetcore/toc.yml
@@ -612,6 +612,8 @@ items:
                         uid: blazor/security/webassembly/standalone-with-identity/index
                       - name: Account confirmation and password recovery
                         uid: blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery
+                      - name: QR codes with TOTP
+                        uid: blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps
                   - name: Standalone with Authentication library
                     uid: blazor/security/webassembly/standalone-with-authentication-library
                   - name: Standalone with Microsoft Accounts
@@ -644,7 +646,7 @@ items:
                 uid: blazor/security/interactive-server-side-rendering
               - name: Account confirmation and password recovery
                 uid: blazor/security/account-confirmation-and-password-recovery
-              - name: QR code generation
+              - name: QR codes with TOTP
                 uid: blazor/security/qrcodes-for-authenticator-apps
               - name: Content Security Policy
                 uid: blazor/security/content-security-policy

From 1a76a339e2675cad0522fa9f1cc69728fdcbb128 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 20 Nov 2024 20:00:03 -0500
Subject: [PATCH 02/25] Updates

---
 ...ount-confirmation-and-password-recovery.md | 70 +++++++++++--------
 .../standalone-with-identity/index.md         |  3 +-
 .../qrcodes-for-authenticator-apps.md         |  9 ++-
 3 files changed, 47 insertions(+), 35 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
index 2a67461ca129..4313bc3a379f 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
@@ -158,15 +158,11 @@ Locate the line that calls <xref:Microsoft.Extensions.DependencyInjection.Identi
 In the client project's `Register` component (`Components/Identity/Register.razor`), change the message to users on a successful account registration to instruct them to confirm their account. The following example includes a link to trigger Identity on the server to resend the confirmation email.
 
 ```diff
-- <div class="alert alert-success">
--     You successfully registered. Now you can <a href="login">login</a>.
-- </div>
-+ <div class="alert alert-success">
-+     You successfully registered. You must now confirm your account by clicking 
-+     the link in the email that was sent to you. After confirming your account, 
-+     you can <a href="login">login</a> to the app. 
-+     <a href="resendConfirmationEmail">Resend confirmation email</a>
-+ </div>
+- You successfully registered. Now you can <a href="login">login</a>.
++ You successfully registered. You must now confirm your account by clicking 
++ the link in the email that was sent to you. After confirming your account, 
++ you can <a href="login">login</a> to the app. 
++ <a href="resendConfirmationEmail">Resend confirmation email</a>
 ```
 
 ## Update seed data code to confirm seeded accounts
@@ -345,15 +341,21 @@ In the client project, add the following `ForgotPassword` component.
     <div class="col-md-4">
         @if (!passwordResetCodeSent)
         {
-            <EditForm Model="Input" FormName="forgot-password" 
-                OnValidSubmit="OnValidSubmitStep1Async" method="post">
+            <EditForm Model="Input" 
+                      FormName="forgot-password" 
+                      OnValidSubmit="OnValidSubmitStep1Async" 
+                      method="post">
                 <DataAnnotationsValidator />
                 <ValidationSummary class="text-danger" role="alert" />
 
                 <div class="form-floating mb-3">
-                    <InputText @bind-Value="Input.Email" id="Input.Email" 
-                        class="form-control" autocomplete="username" 
-                        aria-required="true" placeholder="name@example.com" />
+                    <InputText 
+                        @bind-Value="Input.Email" 
+                        id="Input.Email" 
+                        class="form-control" 
+                        autocomplete="username" 
+                        aria-required="true" 
+                        placeholder="name@example.com" />
                     <label for="Input.Email" class="form-label">
                         Email
                     </label>
@@ -390,15 +392,20 @@ In the client project, add the following `ForgotPassword` component.
                     A password reset code has been sent to your email address. 
                     Obtain the code from the email for this form.
                 </div>
-                <EditForm Model="Reset" FormName="reset-password" 
-                    OnValidSubmit="OnValidSubmitStep2Async" method="post">
+                <EditForm Model="Reset" 
+                          FormName="reset-password" 
+                          OnValidSubmit="OnValidSubmitStep2Async" 
+                          method="post">
                     <DataAnnotationsValidator />
                     <ValidationSummary class="text-danger" role="alert" />
 
                     <div class="form-floating mb-3">
-                        <InputText @bind-Value="Reset.ResetCode" 
-                            id="Reset.ResetCode" class="form-control" 
-                            autocomplete="username" aria-required="true" />
+                        <InputText 
+                            @bind-Value="Reset.ResetCode" 
+                            id="Reset.ResetCode" 
+                            class="form-control" 
+                            autocomplete="username" 
+                            aria-required="true" />
                         <label for="Reset.ResetCode" class="form-label">
                             Reset code
                         </label>
@@ -406,9 +413,13 @@ In the client project, add the following `ForgotPassword` component.
                             class="text-danger" />
                     </div>
                     <div class="form-floating mb-3">
-                        <InputText type="password" @bind-Value="Reset.NewPassword" 
-                            id="Reset.NewPassword" class="form-control" 
-                            autocomplete="new-password" aria-required="true" 
+                        <InputText 
+                            type="password" 
+                            @bind-Value="Reset.NewPassword" 
+                            id="Reset.NewPassword" 
+                            class="form-control" 
+                            autocomplete="new-password" 
+                            aria-required="true" 
                             placeholder="password" />
                         <label for="Reset.NewPassword" class="form-label">
                             New Password
@@ -417,9 +428,13 @@ In the client project, add the following `ForgotPassword` component.
                             class="text-danger" />
                     </div>
                     <div class="form-floating mb-3">
-                        <InputText type="password" @bind-Value="Reset.ConfirmPassword" 
-                            id="Reset.ConfirmPassword" class="form-control" 
-                            autocomplete="new-password" aria-required="true" 
+                        <InputText 
+                            type="password" 
+                            @bind-Value="Reset.ConfirmPassword" 
+                            id="Reset.ConfirmPassword" 
+                            class="form-control" 
+                            autocomplete="new-password" 
+                            aria-required="true" 
                             placeholder="password" />
                         <label for="Reset.ConfirmPassword" class="form-label">
                             Confirm Password
@@ -437,8 +452,7 @@ In the client project, add the following `ForgotPassword` component.
 </div>
 
 @code {
-    private bool passwordResetCodeSent;
-    private bool passwordResetSuccess, errors;
+    private bool passwordResetCodeSent, passwordResetSuccess, errors;
     private string[] errorList = [];
 
     [SupplyParameterFromForm(FormName = "forgot-password")]
@@ -492,7 +506,7 @@ In the client project, add the following `ForgotPassword` component.
         [DataType(DataType.Password)]
         [Display(Name = "Confirm password")]
         [Compare("NewPassword", ErrorMessage = "The new password and confirmation " +
-            "password do not match.")]
+            "password don't match.")]
         public string ConfirmPassword { get; set; } = string.Empty;
     }
 }
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/index.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/index.md
index d65f44c4a47d..8304e3594d89 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/index.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/index.md
@@ -85,12 +85,11 @@ At this point, you must provide custom code to parse the <xref:Microsoft.AspNetC
 Scenarios covered by the Blazor documentation set:
 
 * [Account confirmation, password management, and recovery codes](xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery)
-* Two-factor authentication (2FA): *Implementation guidance coming soon!* This work is tracked by [Add 2FA/TOTP coverage to the Standalone+Identity article+sample (`dotnet/AspNetCore.Docs` #33772)](https://github.com/dotnet/AspNetCore.Docs/issues/33772). In the meantime, general information to aid you with a custom implementation is available in <xref:security/authentication/identity/spa#use-the-post-manage2fa-endpoint>.
+* [Two-factor authentication (2FA) with a TOTP authenticator app](xref:blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps)
 
 For information on additional Identity scenarios provided by the API, see <xref:security/authentication/identity/spa>:
 
 * Secure selected endpoints
-* Two-factor authentication (2FA) and recovery codes
 * User info management
 
 ## Use secure authentication flows to maintain sensitive data and credentials
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index cbdaf7f15d23..7d4d7d4ce755 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -740,11 +740,10 @@ Add the following `Manage2fa` component.
                                 </p>
                                 <div class="row">
                                     <div class="col-xl-6">
-                                        <EditForm 
-                                                Model="Input" 
-                                                FormName="send-code" 
-                                                OnValidSubmit="OnValidSubmitAsync" 
-                                                method="post">
+                                        <EditForm Model="Input" 
+                                                  FormName="send-code" 
+                                                  OnValidSubmit="OnValidSubmitAsync" 
+                                                  method="post">
                                             <DataAnnotationsValidator />
                                             <div class="form-floating mb-3">
                                                 <InputText 

From f11cb7e1c28ff83c4337bae28f0935249339b1aa Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Thu, 21 Nov 2024 10:10:23 -0500
Subject: [PATCH 03/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         |  19 +-
 ...ount-confirmation-and-password-recovery.md |  81 +---
 .../qrcodes-for-authenticator-apps.md         | 437 +++++++-----------
 3 files changed, 204 insertions(+), 333 deletions(-)

diff --git a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
index a9dc6fb603d1..ace84d25cbd9 100644
--- a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
@@ -33,14 +33,16 @@ For more information, see <xref:security/authentication/scaffold-identity>. For
 
 ## Adding QR codes to the 2FA configuration page
 
-These instructions use [Shim Sangmin](https://hogangnono.com)'s [qrcode.js: Cross-browser QRCode generator for JavaScript](https://davidshimjs.github.io/qrcodejs/) ([`davidshimjs/qrcodejs` GitHub repository](https://github.com/davidshimjs/qrcodejs)).
+The QR code used by 2FA authenticator apps to configure the app to creates TOTP codes must be generated by a QR code library.
 
-Download the [`qrcode.min.js`](https://davidshimjs.github.io/qrcodejs/) library to the `wwwroot` folder of the solution's server project. The library has no dependencies.
+The guidance in this article uses [qr-creator](https://github.com/nimiq/qr-creator), but you can use any general QR code generation library.
+
+Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the solution's server project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer.
 
 In the `App` component (`Components/App.razor`), place a library script reference after [Blazor's `<script>` tag](xref:blazor/project-structure#location-of-the-blazor-script):
 
-```razor
-<script src="qrcode.min.js"></script>
+```html
+<script src="qr-creator.min.js"></script>
 ```
 
 The `EnableAuthenticator` component, which is part of the QR code system in the app and displays the QR code to users, adopts static server-side rendering (static SSR) with enhanced navigation. Therefore, normal scripts can't execute when the component loads or updates under enhanced navigation. Extra steps are required to trigger the QR code to load in the UI when the page is loaded. To accomplish loading the QR code, the approach explained in <xref:blazor/js-interop/ssr> is adopted.
@@ -72,7 +74,14 @@ Add the following [collocated JS file](xref:blazor/js-interop/javascript-locatio
 ```javascript
 export function onLoad() {
   const uri = document.getElementById('qrCodeData').getAttribute('data-url');
-  new QRCode(document.getElementById('qrCode'), uri);
+  QrCreator.render({
+    text: uri,
+    radius: 0,
+    ecLevel: 'H',
+    fill: '#000000',
+    background: null,
+    size: 190
+  }, document.querySelector('#qrCode'));
 }
 ```
 
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
index 4313bc3a379f..e31006c1b94e 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
@@ -4,7 +4,7 @@ author: guardrex
 description: Learn how to configure an ASP.NET Core Blazor WebAssembly app with ASP.NET Core Identity with email confirmation and password recovery.
 ms.author: riande
 monikerRange: '>= aspnetcore-8.0'
-ms.date: 10/31/2024
+ms.date: 11/21/2024
 uid: blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery
 ---
 # Account confirmation and password recovery in ASP.NET Core Blazor WebAssembly with ASP.NET Core Identity
@@ -16,7 +16,7 @@ This article explains how to configure an ASP.NET Core Blazor WebAssembly app wi
 > [!NOTE]
 > This article only applies standalone Blazor WebAssembly apps with ASP.NET Core Identity. To implement email confirmation and password recovery for Blazor Web Apps, see <xref:blazor/security/account-confirmation-and-password-recovery>.
 
-## Namespace
+## Namespaces and article code examples
 
 The namespaces used by the examples in this article are:
 
@@ -27,6 +27,8 @@ These namespaces correspond to the projects in the `BlazorWebAssemblyStandaloneW
 
 If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample solution, change the namespaces in the code examples to use the namespaces of your projects.
 
+In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks. You're welcome to condense the code in your own apps by removing the artificial line breaks after you paste the code into a project.
+
 ## Select and configure an email provider for the server project
 
 In this article, [Mailchimp's Transactional API](https://mailchimp.com/developer/transactional/api/) is used via [Mandrill.net](https://www.nuget.org/packages/Mandrill.net) to send email. We recommend using an email service to send email rather than SMTP. SMTP is difficult to configure and secure properly. Whichever email service you use, access their guidance for .NET apps, create an account, configure an API key for their service, and install any NuGet packages required.
@@ -220,24 +222,16 @@ public Task<FormResult> ResetPasswordAsync(string email, string resetCode,
 In the client project, add implementations for the preceding methods in the `CookieAuthenticationStateProvider` class (`Identity/CookieAuthenticationStateProvider.cs`):
 
 ```csharp
-/// <summary>
-/// Begin the password recovery process by issuing a POST request to the 
-/// '/forgotPassword' endpoint.
-/// </summary>
-/// <param name="email">The user's email address.</param>
-/// <returns>A <see cref="bool"/> indicating success or failure.</returns>
 public async Task<bool> ForgotPasswordAsync(string email)
 {
     try
     {
-        // make the request
         var result = await httpClient.PostAsJsonAsync(
             "forgotPassword", new
             {
                 email
             });
 
-        // successful?
         if (result.IsSuccessStatusCode)
         {
             return true;
@@ -245,19 +239,9 @@ public async Task<bool> ForgotPasswordAsync(string email)
     }
     catch { }
 
-    // unknown error
     return false;
 }
 
-/// <summary>
-/// Reset the user's password by issuing a POST request to the 
-/// '/resetPassword' endpoint.
-/// </summary>
-/// <param name="email">The user's email address.</param>
-/// <param name="resetCode">The user's reset code.</param>
-/// <param name="newPassword">The user's new password.</param>
-/// <returns>The result serialized to a <see cref="FormResult"/>.
-/// </returns>
 public async Task<FormResult> ResetPasswordAsync(string email, string resetCode, 
     string newPassword)
 {
@@ -265,7 +249,6 @@ public async Task<FormResult> ResetPasswordAsync(string email, string resetCode,
 
     try
     {
-        // make the request
         var result = await httpClient.PostAsJsonAsync(
             "resetPassword", new
             {
@@ -274,13 +257,11 @@ public async Task<FormResult> ResetPasswordAsync(string email, string resetCode,
                 newPassword
             });
 
-        // successful?
         if (result.IsSuccessStatusCode)
         {
             return new FormResult { Succeeded = true };
         }
 
-        // body should contain details about why it failed
         var details = await result.Content.ReadAsStringAsync();
         var problemDetails = JsonDocument.Parse(details);
         var errors = new List<string>();
@@ -301,7 +282,6 @@ public async Task<FormResult> ResetPasswordAsync(string email, string resetCode,
             }
         }
 
-        // return the error list
         return new FormResult
         {
             Succeeded = false,
@@ -310,7 +290,6 @@ public async Task<FormResult> ResetPasswordAsync(string email, string resetCode,
     }
     catch { }
 
-    // unknown error
     return new FormResult
     {
         Succeeded = false,
@@ -321,9 +300,6 @@ public async Task<FormResult> ResetPasswordAsync(string email, string resetCode,
 
 In the client project, add the following `ForgotPassword` component.
 
-> [!NOTE]
-> Code lines in the following example are broken across two or more lines to eliminate or reduce horizontal scrolling in this article, but you can place the following code as shown into a test app. The code executes regardless of the artificial line breaks.
-
 `Components/Identity/ForgotPassword.razor`:
 
 ```razor
@@ -341,20 +317,15 @@ In the client project, add the following `ForgotPassword` component.
     <div class="col-md-4">
         @if (!passwordResetCodeSent)
         {
-            <EditForm Model="Input" 
-                      FormName="forgot-password" 
-                      OnValidSubmit="OnValidSubmitStep1Async" 
-                      method="post">
+            <EditForm Model="Input" FormName="forgot-password" 
+                      OnValidSubmit="OnValidSubmitStep1Async" method="post">
                 <DataAnnotationsValidator />
                 <ValidationSummary class="text-danger" role="alert" />
 
                 <div class="form-floating mb-3">
-                    <InputText 
-                        @bind-Value="Input.Email" 
-                        id="Input.Email" 
-                        class="form-control" 
-                        autocomplete="username" 
-                        aria-required="true" 
+                    <InputText @bind-Value="Input.Email" 
+                        id="Input.Email" class="form-control" 
+                        autocomplete="username" aria-required="true" 
                         placeholder="name@example.com" />
                     <label for="Input.Email" class="form-label">
                         Email
@@ -392,20 +363,15 @@ In the client project, add the following `ForgotPassword` component.
                     A password reset code has been sent to your email address. 
                     Obtain the code from the email for this form.
                 </div>
-                <EditForm Model="Reset" 
-                          FormName="reset-password" 
-                          OnValidSubmit="OnValidSubmitStep2Async" 
-                          method="post">
+                <EditForm Model="Reset" FormName="reset-password" 
+                          OnValidSubmit="OnValidSubmitStep2Async" method="post">
                     <DataAnnotationsValidator />
                     <ValidationSummary class="text-danger" role="alert" />
 
                     <div class="form-floating mb-3">
-                        <InputText 
-                            @bind-Value="Reset.ResetCode" 
-                            id="Reset.ResetCode" 
-                            class="form-control" 
-                            autocomplete="username" 
-                            aria-required="true" />
+                        <InputText @bind-Value="Reset.ResetCode" 
+                            id="Reset.ResetCode" class="form-control" 
+                            autocomplete="username" aria-required="true" />
                         <label for="Reset.ResetCode" class="form-label">
                             Reset code
                         </label>
@@ -413,13 +379,9 @@ In the client project, add the following `ForgotPassword` component.
                             class="text-danger" />
                     </div>
                     <div class="form-floating mb-3">
-                        <InputText 
-                            type="password" 
-                            @bind-Value="Reset.NewPassword" 
-                            id="Reset.NewPassword" 
-                            class="form-control" 
-                            autocomplete="new-password" 
-                            aria-required="true" 
+                        <InputText type="password" @bind-Value="Reset.NewPassword" 
+                            id="Reset.NewPassword" class="form-control" 
+                            autocomplete="new-password" aria-required="true" 
                             placeholder="password" />
                         <label for="Reset.NewPassword" class="form-label">
                             New Password
@@ -428,13 +390,10 @@ In the client project, add the following `ForgotPassword` component.
                             class="text-danger" />
                     </div>
                     <div class="form-floating mb-3">
-                        <InputText 
-                            type="password" 
+                        <InputText type="password" 
                             @bind-Value="Reset.ConfirmPassword" 
-                            id="Reset.ConfirmPassword" 
-                            class="form-control" 
-                            autocomplete="new-password" 
-                            aria-required="true" 
+                            id="Reset.ConfirmPassword" class="form-control" 
+                            autocomplete="new-password" aria-required="true" 
                             placeholder="password" />
                         <label for="Reset.ConfirmPassword" class="form-label">
                             Confirm Password
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 7d4d7d4ce755..a6bae9c41c70 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -4,28 +4,24 @@ author: guardrex
 description: Learn how to configure an ASP.NET Core Blazor WebAssembly app with Identity for QR code generation with TOTP authenticator app.
 ms.author: riande
 monikerRange: '>= aspnetcore-8.0'
-ms.date: 11/20/2024
+ms.date: 11/21/2024
 uid: blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps
 ---
 # Enable QR code generation for TOTP authenticator apps in ASP.NET Core Blazor WebAssembly with ASP.NET Core Identity
 
 [!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
 
-This article explains how to configure an ASP.NET Core Blazor WebAssembly app with Identity for QR code generation with TOTP authenticator app.
+This article explains how to configure an ASP.NET Core Blazor WebAssembly app with Identity for QR code generation with a Time-based One-time Password Algorithm (TOTP) authenticator app.
 
 > [!NOTE]
 > This article only applies standalone Blazor WebAssembly apps with ASP.NET Core Identity. To implement QR code generation for Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>.
 
-For an introduction to two-factor authentication (2FA) with authenticator apps using a Time-based One-time Password Algorithm (TOTP), see <xref:security/authentication/identity-enable-qrcodes>.
+For an introduction to two-factor authentication (2FA) using a TOTP authenticator app, see <xref:security/authentication/identity-enable-qrcodes>.
 
 > [!WARNING]
 > An ASP.NET Core TOTP code should be kept secret because it can be used to authenticate successfully multiple times before it expires.
 
-## Two-factor/TOTP processing
-
-... EXPLAIN API BASICS HERE ...
-
-## Namespace
+## Namespaces and article code examples
 
 The namespaces used by the examples in this article are:
 
@@ -36,37 +32,41 @@ These namespaces correspond to the projects in the `BlazorWebAssemblyStandaloneW
 
 If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample solution, change the namespaces in the code examples to use the namespaces of your projects.
 
-**All of the changes to the app covered by this article outside of the *Configure account confirmation and password recovery* section take place in the `BlazorWasmAuth` project.**
+All of the changes to the solution covered by this article outside of the *Configure account confirmation and password recovery* section take place in the `BlazorWasmAuth` project.
+
+In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks. You're welcome to condense the code in your own apps by removing the artificial line breaks after you paste the code into a project.
 
-## Configure account confirmation and password recovery
+## Optional account confirmation and password recovery
 
-Follow the guidance in <xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery> to establish account confirmation and password recovery features:
+Although apps that implement 2FA authentication often adopt account confirmation and password recovery features, 2FA authentication doesn't require it. The guidance in this article can be followed to implement 2FA without following the guidance in <xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery>.
 
-* [Select and configure an email provider for the server project](xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery#select-and-configure-an-email-provider-for-the-server-project)
-* [Configure a user secret for the provider's security key](xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery#configure-a-user-secret-for-the-providers-security-key)
-* [Implement `IEmailSender` in the server project](xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery#implement-iemailsender-in-the-server-project)
+## Add a QR code library to the app
 
-Two-factor authentication doesn't strictly require account confirmation and password recovery features, so you aren't required to adopt the remaining guidance in the cross-linked article.
+The QR code used by 2FA authenticator apps to configure the app to creates TOTP codes must be generated by a QR code library.
 
-## Adding QR codes to the app
+The guidance in this article uses [qr-creator](https://github.com/nimiq/qr-creator), but you can use any general QR code generation library.
 
-These instructions use [Shim Sangmin](https://hogangnono.com)'s [qrcode.js: Cross-browser QRCode generator for JavaScript](https://davidshimjs.github.io/qrcodejs/) ([`davidshimjs/qrcodejs` GitHub repository](https://github.com/davidshimjs/qrcodejs)).
+Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the `wwwroot` folder of the client project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer.
 
-Download the [`qrcode.min.js`](https://davidshimjs.github.io/qrcodejs/) library to the `wwwroot` folder of the `BlazorWasmAuth` project. The library has no dependencies.
+In the client project's `wwwroot/index.html` file, add the following `<script>` tag immediately after the [Blazor's `<script>` tag](xref:blazor/project-structure#location-of-the-blazor-script):
+
+```html
+<script src="qr-creator.min.js"></script>
+```
 
 ## Set the TOTP organization name
 
-Set the site name in the app settings file of the `BlazorWasmAuth` project. Use a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. Examples: Yahoo, Amazon, Etsy, Microsoft, Zoho. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
+Set the site name in the app settings file of the client project. Use a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. Examples: Yahoo, Amazon, Etsy, Microsoft, Zoho. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
 
 In the following example, the the company name is `Weyland-Yutani Corporation` (&copy;1986 20th Century Studios [*Aliens*](https://www.20thcenturystudios.com/movies/aliens)).
 
-Added to `wwwroot/appsettings.json` of the `BlazorWasmAuth` project:
+Added to `wwwroot/appsettings.json`:
 
 ```json
 "TotpOrganizationName": "Weyland-Yutani Corporation"
 ```
 
-The file after the configuration key-value are added:
+The file after the TOTP organization name configuration is added:
 
 ```json
 {
@@ -85,39 +85,13 @@ Add the following `TwoFactorResult` class to the `Models` folder.
 ```csharp
 namespace BlazorWasmAuth.Identity.Models
 {
-    /// <summary>
-    /// Response for login and registration.
-    /// </summary>
     public class TwoFactorResult
     {
-        /// <summary>
-        /// Gets or sets a value indicating the shared key.
-        /// </summary>
         public string SharedKey { get; set; } = string.Empty;
-
-        /// <summary>
-        /// Gets or sets a value indicating the number of remaining recovery codes.
-        /// </summary>
         public int RecoveryCodesLeft { get; set; } = 0;
-
-        /// <summary>
-        /// Gets or sets a value indicating the recovery codes.
-        /// </summary>
         public string[] RecoveryCodes { get; set; } = [];
-
-        /// <summary>
-        /// Gets or sets a value indicating if two-factor authentication is enabled.
-        /// </summary>
         public bool IsTwoFactorEnabled { get; set; }
-
-        /// <summary>
-        /// Gets or sets a value indicating if the machine is remembered.
-        /// </summary>
         public bool IsMachineRemembered { get; set; }
-
-        /// <summary>
-        /// On failure, the problem details are parsed and returned in this array.
-        /// </summary>
         public string[] ErrorList { get; set; } = [];
     }
 }
@@ -130,41 +104,18 @@ Add the following class signatures to the `IAccountManagment` interface.
 `Identity/IAccountManagement.cs` (paste the following code at the bottom of the interface):
 
 ```csharp
-/// <summary>
-/// Login service with two-factor authentication.
-/// </summary>
-/// <param name="email">User's email.</param>
-/// <param name="password">User's password.</param>
-/// <param name="twoFactorCode">User's 2FA code.</param>
-/// <returns>The result of the request serialized to <see cref="FormResult"/>.</returns>
 public Task<FormResult> LoginTwoFactorCodeAsync(
     string email, 
     string password, 
     string twoFactorCode);
 
-/// <summary>
-/// Initial POST request to the two-factor authentication endpoint.
-/// </summary>
-/// <param name="enable">A flag indicating 2FA status.</param>
-/// <param name="twoFactorCode">The two-factor authentication code supplied by the user's 2FA app.</param>
-/// <param name="resetSharedKey">A flag indicating if the shared key should be reset.</param>
-/// <param name="resetRecoveryCodes">A flag indicating if the recovery codes should be reset.</param>
-/// <param name="forgetMachine">A flag indicating if the machine should be forgotten.</param>
-/// <returns>The result serialized to a <see cref="TwoFactorResult"/>.</returns>
 public Task<TwoFactorResult> TwoFactorRequest(
     bool enable = false, 
-    string twoFactorCode = "", 
+    string twoFactorCode = string.Empty, 
     bool resetSharedKey = false, 
     bool resetRecoveryCodes = false, 
     bool forgetMachine = false);
 
-/// <summary>
-/// Login service with two-factor recovery authentication.
-/// </summary>
-/// <param name="email">User's email.</param>
-/// <param name="password">User's password.</param>
-/// <param name="twoFactorRecoveryCode">User's 2FA recovery code.</param>
-/// <returns>The result of the request serialized to <see cref="FormResult"/>.</returns>
 public Task<FormResult> LoginTwoFactorRecoveryCodeAsync(
     string email, 
     string password, 
@@ -173,14 +124,13 @@ public Task<FormResult> LoginTwoFactorRecoveryCodeAsync(
 
 ## `CookieAuthenticationStateProvider`
 
-Replace the `LoginAsync` method with the following code in `Identity/CookieAuthenticationStateProvider.cs`:
+In `Identity/CookieAuthenticationStateProvider.cs`, replace the `LoginAsync` method with the following code:
 
 ```csharp
 public async Task<FormResult> LoginAsync(string email, string password)
 {
     try
     {
-        // login with cookies
         var result = await httpClient.PostAsJsonAsync(
             "login?useCookies=true", new
             {
@@ -188,13 +138,10 @@ public async Task<FormResult> LoginAsync(string email, string password)
                 password
             });
 
-        // success?
         if (result.IsSuccessStatusCode)
         {
-            // need to refresh auth state
             NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
 
-            // success!
             return new FormResult { Succeeded = true };
         }
         else if (result.StatusCode == HttpStatusCode.Unauthorized)
@@ -215,7 +162,6 @@ public async Task<FormResult> LoginAsync(string email, string password)
     }
     catch { }
 
-    // unknown error
     return new FormResult
     {
         Succeeded = false,
@@ -227,21 +173,11 @@ public async Task<FormResult> LoginAsync(string email, string password)
 Add the following methods and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
 
 ```csharp
-/// <summary>
-/// User login with two-factor authentication.
-/// </summary>
-/// <param name="email">The user's email address.</param>
-/// <param name="password">The user's password.</param>
-/// <param name="twoFactorCode">The user's password.</param>
-/// <returns>
-///     The result of the login request serialized to a <see cref="FormResult"/>.
-/// </returns>
 public async Task<FormResult> LoginTwoFactorCodeAsync(
     string email, string password, string twoFactorCode)
 {
     try
     {
-        // login with cookies
         var result = await httpClient.PostAsJsonAsync(
             "login?useCookies=true", new
             {
@@ -250,19 +186,15 @@ public async Task<FormResult> LoginTwoFactorCodeAsync(
                 twoFactorCode
             });
 
-        // success?
         if (result.IsSuccessStatusCode)
         {
-            // need to refresh auth state
             NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
 
-            // success!
             return new FormResult { Succeeded = true };
         }
     }
     catch { }
 
-    // unknown error
     return new FormResult
     {
         Succeeded = false,
@@ -270,23 +202,6 @@ public async Task<FormResult> LoginTwoFactorCodeAsync(
     };
 }
 
-/// <summary>
-/// Initial POST request to the two-factor authentication endpoint.
-/// </summary>
-/// <param name="enable">A flag indicating 2FA status.</param>
-/// <param name="twoFactorCode">
-///     The two-factor authentication code supplied by the user's 2FA app.
-/// </param>
-/// <param name="resetSharedKey">
-///     A flag indicating if the shared key should be reset.
-/// </param>
-/// <param name="resetRecoveryCodes">
-///    A flag indicating if the recovery codes should be reset.
-/// </param>
-/// <param name="forgetMachine">
-///     A flag indicating if the machine should be forgotten.
-/// </param>
-/// <returns>The result serialized to a <see cref="TwoFactorResult"/>.</returns>
 public async Task<TwoFactorResult> TwoFactorRequest(
     bool enable,
     string twoFactorCode,
@@ -306,6 +221,11 @@ public async Task<TwoFactorResult> TwoFactorRequest(
             response = await httpClient.PostAsJsonAsync("manage/2fa", 
                 new { enable, resetSharedKey });
         }
+        else if (resetRecoveryCodes)
+        {
+            response = await httpClient.PostAsJsonAsync("manage/2fa",
+                new { enable, resetRecoveryCodes });
+        }
         else if (forgetMachine)
         {
             response = await httpClient.PostAsJsonAsync("manage/2fa", 
@@ -322,7 +242,6 @@ public async Task<TwoFactorResult> TwoFactorRequest(
                 new { });
         }
 
-        // successful?
         if (response.IsSuccessStatusCode)
         {
             return await response.Content
@@ -334,7 +253,6 @@ public async Task<TwoFactorResult> TwoFactorRequest(
                 };
         }
 
-        // body should contain details about why it failed
         var details = await response.Content.ReadAsStringAsync();
         var problemDetails = JsonDocument.Parse(details);
         var errors = new List<string>();
@@ -355,7 +273,6 @@ public async Task<TwoFactorResult> TwoFactorRequest(
             }
         }
 
-        // return the error list
         return new TwoFactorResult
         {
             ErrorList = problemDetails == null ? defaultDetail : [.. errors]
@@ -363,26 +280,17 @@ public async Task<TwoFactorResult> TwoFactorRequest(
     }
     catch { }
 
-    // unknown error
     return new TwoFactorResult
     {
         ErrorList = [ "There was an error processing the request." ]
     };
 }
 
-/// <summary>
-/// User login with two-factor authentication.
-/// </summary>
-/// <param name="email">The user's email address.</param>
-/// <param name="password">The user's password.</param>
-/// <param name="twoFactorCode">The user's password.</param>
-/// <returns>The result of the login request serialized to a <see cref="FormResult"/>.</returns>
 public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email, 
     string password, string twoFactorRecoveryCode)
 {
     try
     {
-        // login with cookies
         var result = await httpClient.PostAsJsonAsync(
             "login?useCookies=true", new
             {
@@ -391,19 +299,15 @@ public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email,
                 twoFactorRecoveryCode
             });
 
-        // success?
         if (result.IsSuccessStatusCode)
         {
-            // need to refresh auth state
             NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
 
-            // success!
             return new FormResult { Succeeded = true };
         }
     }
     catch { }
 
-    // unknown error
     return new FormResult
     {
         Succeeded = false,
@@ -453,44 +357,32 @@ Replace the `Login` component with the following code.
         <div class="row">
             <div class="col">
                 <section>
-                    <EditForm Model="Input" 
-                              method="post" 
-                              OnValidSubmit="LoginUser" 
-                              FormName="login" 
-                              Context="editform_context">
+                    <EditForm Model="Input" method="post" OnValidSubmit="LoginUser" 
+                            FormName="login" Context="editform_context">
                         <DataAnnotationsValidator />
                         <h2>Use a local account to log in.</h2>
                         <hr />
                         <div style="display:@(requiresTwoFactor ? "none" : "block")">
                             <div class="form-floating mb-3">
-                                <InputText 
-                                    @bind-Value="Input.Email" 
-                                    id="Input.Email" 
-                                    class="form-control" 
-                                    autocomplete="username" 
-                                    aria-required="true" 
+                                <InputText @bind-Value="Input.Email" 
+                                    id="Input.Email" class="form-control" 
+                                    autocomplete="username" aria-required="true" 
                                     placeholder="name@example.com" />
                                 <label for="Input.Email" class="form-label">
                                     Email
                                 </label>
-                                <ValidationMessage 
-                                    For="() => Input.Email" 
+                                <ValidationMessage For="() => Input.Email" 
                                     class="text-danger" />
                             </div>
                             <div class="form-floating mb-3">
-                                <InputText 
-                                    type="password" 
-                                    @bind-Value="Input.Password" 
-                                    id="Input.Password" 
-                                    class="form-control" 
-                                    autocomplete="current-password" 
-                                    aria-required="true" 
-                                    placeholder="password" />
+                                <InputText type="password" 
+                                    @bind-Value="Input.Password" id="Input.Password" 
+                                    class="form-control" autocomplete="current-password" 
+                                    aria-required="true" placeholder="password" />
                                 <label for="Input.Password" class="form-label">
                                     Password
                                 </label>
-                                <ValidationMessage 
-                                    For="() => Input.Password" 
+                                <ValidationMessage For="() => Input.Password" 
                                     class="text-danger" />
                             </div>
                         </div>
@@ -499,13 +391,12 @@ Replace the `Login` component with the following code.
                                 <InputText @bind-Value="Input.TwoFactorCode" 
                                     id="Input.TwoFactorCode" class="form-control" 
                                     autocomplete="off" 
-                                    placeholder="123456 or 12345-67890" />
+                                    placeholder="###### or #####-#####" />
                                 <label for="Input.TwoFactorCode" class="form-label">
-                                    2FA Authenticator code (6 digits) or Recovery 
+                                    2FA Authenticator Code (6 digits) or Recovery 
                                     Code (#####-#####, dash required)
                                 </label>
-                                <ValidationMessage 
-                                    For="() => Input.TwoFactorCode" 
+                                <ValidationMessage For="() => Input.TwoFactorCode" 
                                     class="text-danger" />
                             </div>
                         </div>
@@ -659,117 +550,118 @@ Add the following `Manage2fa` component.
     <div class="col">
         @if (twoFactorResult is not null)
         {
-            if (twoFactorResult.ErrorList.Length > 0)
+            @foreach (var error in twoFactorResult.ErrorList)
             {
-                @foreach (var error in twoFactorResult.ErrorList)
-                {
-                    <div class="alert alert-danger">@error</div>
-                }
+                <div class="alert alert-danger">@error</div>
             }
-            else
+
+            @if (twoFactorResult.IsTwoFactorEnabled)
             {
-                @if (twoFactorResult.IsTwoFactorEnabled)
-                {
-                    <div class="alert alert-success" role="alert">
-                        Two-factor authentication is enabled for your account.
-                    </div>
+                <div class="alert alert-success" role="alert">
+                    Two-factor authentication is enabled for your account.
+                </div>
 
+                <div class="m-1">
                     <button @onclick="Disable2FA" class="btn btn-lg btn-primary">
                         Disable 2FA
                     </button>
+                </div>
 
-                    @if (recoveryCodes is null)
-                    {
-                        <button @onclick="NewCodes" class="btn btn-lg btn-primary">
+                @if (recoveryCodes is null)
+                {
+                    <div class="m-1">
+                        <button @onclick="GenerateNewCodes" 
+                                class="btn btn-lg btn-primary">
                             Generate New Recovery Codes
                         </button>
-                    }
-                    else
-                    {
-                        <ShowRecoveryCodes 
-                            RecoveryCodes="twoFactorResult.RecoveryCodes.ToArray()" />
-                    }
+                    </div>
                 }
                 else
                 {
-                    <h3>Configure authenticator app</h3>
-                    <div>
-                        <p>To use an authenticator app:</p>
-                        <ol class="list">
-                            <li>
-                                <p>
-                                    Download a two-factor authenticator app, such 
-                                    as either of the following:
-                                    <ul>
-                                        <li>
-                                            Microsoft Authenticator for
-                                            <a href="https://go.microsoft.com/fwlink/?Linkid=825072">
-                                                Android
-                                            </a> and
-                                            <a href="https://go.microsoft.com/fwlink/?Linkid=825073">
-                                                iOS
-                                            </a>
-                                        </li>
-                                        <li>
-                                            Google Authenticator for
-                                            <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2">
-                                                Android
-                                            </a> and
-                                            <a href="https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8">
-                                                iOS
-                                            </a>
-                                        </li>
-                                    </ul>
-                                </p>
-                            </li>
-                            <li>
-                                <p>
-                                    Scan the QR Code or enter this key 
-                                    <kbd>@twoFactorResult.SharedKey</kbd> into your 
-                                    two factor authenticator app. Spaces and casing 
-                                    don't matter.
-                                </p>
-                                <div id="qrCode"></div>
-                            </li>
-                            <li>
-                                <p>
-                                    Once you have scanned the QR code or input the 
-                                    key above, your two factor authentication app 
-                                    will provide you with a unique code. Enter the 
-                                    code in the confirmation box below.
-                                </p>
-                                <div class="row">
-                                    <div class="col-xl-6">
-                                        <EditForm Model="Input" 
-                                                  FormName="send-code" 
-                                                  OnValidSubmit="OnValidSubmitAsync" 
-                                                  method="post">
-                                            <DataAnnotationsValidator />
-                                            <div class="form-floating mb-3">
-                                                <InputText 
-                                                    @bind-Value="Input.Code" 
-                                                    id="Input.Code" 
-                                                    class="form-control" 
-                                                    autocomplete="off" 
-                                                    placeholder="Enter the code" />
-                                                <label for="Input.Code" class="control-label form-label">
-                                                    Verification Code
-                                                </label>
-                                                <ValidationMessage 
-                                                    For="() => Input.Code" 
-                                                    class="text-danger" />
-                                            </div>
-                                            <button type="submit" class="w-100 btn btn-lg btn-primary">
-                                                Verify
-                                            </button>
-                                        </EditForm>
-                                    </div>
-                                </div>
-                            </li>
-                        </ol>
-                    </div>
+                    <ShowRecoveryCodes 
+                        RecoveryCodes="twoFactorResult.RecoveryCodes.ToArray()" />
                 }
             }
+            else
+            {
+                <h3>Configure authenticator app</h3>
+                <div>
+                    <p>To use an authenticator app:</p>
+                    <ol class="list">
+                        <li>
+                            <p>
+                                Download a two-factor authenticator app, such 
+                                as either of the following:
+                                <ul>
+                                    <li>
+                                        Microsoft Authenticator for
+                                        <a href="https://go.microsoft.com/fwlink/?Linkid=825072">
+                                            Android
+                                        </a> and
+                                        <a href="https://go.microsoft.com/fwlink/?Linkid=825073">
+                                            iOS
+                                        </a>
+                                    </li>
+                                    <li>
+                                        Google Authenticator for
+                                        <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2">
+                                            Android
+                                        </a> and
+                                        <a href="https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8">
+                                            iOS
+                                        </a>
+                                    </li>
+                                </ul>
+                            </p>
+                        </li>
+                        <li>
+                            <p>
+                                Scan the QR Code or enter this key 
+                                <kbd>@twoFactorResult.SharedKey</kbd> into your 
+                                two factor authenticator app. Spaces and casing 
+                                don't matter.
+                            </p>
+                            <div @ref="qrCodeElement"></div>
+                        </li>
+                        <li>
+                            <p>
+                                Once you have scanned the QR code or input the 
+                                key above, your two factor authentication app 
+                                will provide you with a unique code. Enter the 
+                                code in the confirmation box below.
+                            </p>
+                            <div class="row">
+                                <div class="col-xl-6">
+                                    <EditForm 
+                                    Model="Input" 
+                                    FormName="send-code" 
+                                    OnValidSubmit="OnValidSubmitAsync" 
+                                    method="post">
+                                        <DataAnnotationsValidator />
+                                        <div class="form-floating mb-3">
+                                            <InputText 
+                                            @bind-Value="Input.Code" 
+                                            id="Input.Code" 
+                                            class="form-control" 
+                                            autocomplete="off" 
+                                            placeholder="Enter the code" />
+                                            <label for="Input.Code" class="control-label form-label">
+                                                Verification Code
+                                            </label>
+                                            <ValidationMessage 
+                                            For="() => Input.Code" 
+                                            class="text-danger" />
+                                        </div>
+                                        <button type="submit" class="w-100 btn btn-lg btn-primary">
+                                            Verify
+                                        </button>
+                                    </EditForm>
+                                </div>
+                            </div>
+                        </li>
+                    </ol>
+                </div>
+            }
         }
     </div>
 </div>
@@ -778,6 +670,7 @@ Add the following `Manage2fa` component.
     private IEnumerable<string>? recoveryCodes;
     private IJSObjectReference? module;
     private TwoFactorResult twoFactorResult = new();
+    private ElementReference qrCodeElement;
 
     [SupplyParameterFromForm]
     private InputModel Input { get; set; } = new();
@@ -796,35 +689,36 @@ Add the following `Manage2fa` component.
         {
             module = await JS.InvokeAsync<IJSObjectReference>("import",
                 "./Components/Identity/Manage2fa.razor.js");
+        }
 
-            //twoFactorResult = await Acct.TwoFactorRequest();
-
-            if (authenticationState is not null)
-            {
-                var authState = await authenticationState;
-                var email = authState?.User?.Identity?.Name!;
+        if (authenticationState is not null &&
+            !string.IsNullOrEmpty(twoFactorResult?.SharedKey) &&
+            module is not null)
+        {
+            var authState = await authenticationState;
+            var email = authState?.User?.Identity?.Name!;
 
-                var uri = string.Format(
-                    CultureInfo.InvariantCulture,
-                    "otpauth://totp/{0}:{1}?secret={2}&issuer={0}&digits=6",
-                    UrlEncoder.Default.Encode(Config["TotpOrganizationName"]!),
-                    email,
-                    twoFactorResult.SharedKey);
+            var uri = string.Format(
+                CultureInfo.InvariantCulture,
+                "otpauth://totp/{0}:{1}?secret={2}&issuer={0}&digits=6",
+                UrlEncoder.Default.Encode(Config["TotpOrganizationName"]!),
+                email,
+                twoFactorResult?.SharedKey);
 
-                await module.InvokeVoidAsync("setQrCode", uri);
-            }
+            await module.InvokeVoidAsync("setQrCode", qrCodeElement, uri);
         }
     }
 
     private async Task Disable2FA()
     {
-        twoFactorResult = await Acct.TwoFactorRequest(resetSharedKey: true);
+        twoFactorResult = 
+            await Acct.TwoFactorRequest(enable: false, resetSharedKey: true);
     }
 
-    private async Task NewCodes()
+    private async Task GenerateNewCodes()
     {
-        twoFactorResult = await Acct.TwoFactorRequest(resetRecoveryCodes: true);
-        recoveryCodes = twoFactorResult.RecoveryCodes;
+        twoFactorResult = 
+            await Acct.TwoFactorRequest(enable: false, resetRecoveryCodes: true);
     }
 
     private async Task OnValidSubmitAsync()
@@ -859,8 +753,17 @@ Add the following [collocated JavaScript file](xref:blazor/js-interop/javascript
 `Components/Identity/Manage2fa.razor.js`:
 
 ```javascript
-export function setQrCode(uri) {
-  new QRCode(document.getElementById('qrCode'), uri);
+export function setQrCode(qrCodeElement, uri) {
+  if (qrCodeElement !== null) {
+    QrCreator.render({
+      text: uri,
+      radius: 0,
+      ecLevel: 'H',
+      fill: '#000000',
+      background: null,
+      size: 190
+    }, qrCodeElement);
+  }
 }
 ```
 

From 732f927b221bba77f6991a227fdd74fa379be128 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Thu, 21 Nov 2024 11:12:30 -0500
Subject: [PATCH 04/25] Updates

---
 .../standalone-with-identity/qrcodes-for-authenticator-apps.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index a6bae9c41c70..8b3df3878579 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -111,7 +111,7 @@ public Task<FormResult> LoginTwoFactorCodeAsync(
 
 public Task<TwoFactorResult> TwoFactorRequest(
     bool enable = false, 
-    string twoFactorCode = string.Empty, 
+    string twoFactorCode = "", 
     bool resetSharedKey = false, 
     bool resetRecoveryCodes = false, 
     bool forgetMachine = false);

From 8f12c385eb5e3cf02d4b58d1799fb899ae92597a Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Fri, 22 Nov 2024 08:47:27 -0500
Subject: [PATCH 05/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         |  12 +-
 .../qrcodes-for-authenticator-apps.md         | 232 ++++++++++++------
 2 files changed, 162 insertions(+), 82 deletions(-)

diff --git a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
index ace84d25cbd9..85533c533e75 100644
--- a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
@@ -11,12 +11,12 @@ uid: blazor/security/qrcodes-for-authenticator-apps
 
 [!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
 
-This article explains how to configure an ASP.NET Core Blazor Web App with QR code generation for TOTP authenticator apps.
+This article explains how to configure an ASP.NET Core Blazor Web App with QR code generation for Time-based One-time Password Algorithm (TOTP) authenticator apps.
 
-For an introduction to two-factor authentication (2FA) with authenticator apps using a Time-based One-time Password Algorithm (TOTP), see <xref:security/authentication/identity-enable-qrcodes>.
+For an introduction to two-factor authentication (2FA) using a TOTP authenticator app, see <xref:security/authentication/identity-enable-qrcodes>.
 
 > [!WARNING]
-> An ASP.NET Core TOTP code should be kept secret because it can be used to authenticate successfully multiple times before it expires.
+> TOTP codes should be kept secret because it can be used to authenticate successfully multiple times before it expires.
 
 ## Scaffold the Enable Authenticator component into the app
 
@@ -33,11 +33,11 @@ For more information, see <xref:security/authentication/scaffold-identity>. For
 
 ## Adding QR codes to the 2FA configuration page
 
-The QR code used by 2FA authenticator apps to configure the app to creates TOTP codes must be generated by a QR code library.
+QR codes for use by TOTP authenticator apps must be generated by a QR code library.
 
-The guidance in this article uses [qr-creator](https://github.com/nimiq/qr-creator), but you can use any general QR code generation library.
+The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator), but you can use any general QR code generation library.
 
-Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the solution's server project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer.
+Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the solution's server project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer (see the [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) GitHub repository for details).
 
 In the `App` component (`Components/App.razor`), place a library script reference after [Blazor's `<script>` tag](xref:blazor/project-structure#location-of-the-blazor-script):
 
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 8b3df3878579..03a512034044 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -11,15 +11,15 @@ uid: blazor/security/webassembly/standalone-with-identity/qrcodes-for-authentica
 
 [!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
 
-This article explains how to configure an ASP.NET Core Blazor WebAssembly app with Identity for QR code generation with a Time-based One-time Password Algorithm (TOTP) authenticator app.
+This article explains how to configure an ASP.NET Core Blazor WebAssembly app with Identity with QR code generation for Time-based One-time Password Algorithm (TOTP) authenticator apps.
 
 > [!NOTE]
-> This article only applies standalone Blazor WebAssembly apps with ASP.NET Core Identity. To implement QR code generation for Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>.
+> This article only applies standalone Blazor WebAssembly apps with a server backend web API that adopts ASP.NET Core Identity. To implement QR code generation for Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>.
 
 For an introduction to two-factor authentication (2FA) using a TOTP authenticator app, see <xref:security/authentication/identity-enable-qrcodes>.
 
 > [!WARNING]
-> An ASP.NET Core TOTP code should be kept secret because it can be used to authenticate successfully multiple times before it expires.
+> TOTP codes should be kept secret because it can be used to authenticate successfully multiple times before it expires.
 
 ## Namespaces and article code examples
 
@@ -30,9 +30,9 @@ The namespaces used by the examples in this article are:
 
 These namespaces correspond to the projects in the `BlazorWebAssemblyStandaloneWithIdentity` sample solution in the [`dotnet/blazor-samples` GitHub repository](https://github.com/dotnet/blazor-samples). For more information, see <xref:blazor/security/webassembly/standalone-with-identity/index#sample-apps>.
 
-If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample solution, change the namespaces in the code examples to use the namespaces of your projects.
+If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample, change the namespaces in the code examples to use the namespaces of your projects.
 
-All of the changes to the solution covered by this article outside of the *Configure account confirmation and password recovery* section take place in the `BlazorWasmAuth` project.
+All of the changes to the solution covered by this article take place in the `BlazorWasmAuth` project.
 
 In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks. You're welcome to condense the code in your own apps by removing the artificial line breaks after you paste the code into a project.
 
@@ -42,11 +42,11 @@ Although apps that implement 2FA authentication often adopt account confirmation
 
 ## Add a QR code library to the app
 
-The QR code used by 2FA authenticator apps to configure the app to creates TOTP codes must be generated by a QR code library.
+QR codes for use by TOTP authenticator apps must be generated by a QR code library.
 
-The guidance in this article uses [qr-creator](https://github.com/nimiq/qr-creator), but you can use any general QR code generation library.
+The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator), but you can use any general QR code generation library.
 
-Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the `wwwroot` folder of the client project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer.
+Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the `wwwroot` folder of the client project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer (see the [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) GitHub repository for details).
 
 In the client project's `wwwroot/index.html` file, add the following `<script>` tag immediately after the [Blazor's `<script>` tag](xref:blazor/project-structure#location-of-the-blazor-script):
 
@@ -76,9 +76,9 @@ The file after the TOTP organization name configuration is added:
 }
 ```
 
-## `TwoFactorResult` model
+## Add a model class for two-factor results
 
-Add the following `TwoFactorResult` class to the `Models` folder.
+Add the following `TwoFactorResult` class to the `Models` folder. This class is populated by the response to a 2FA request made to the `/manage/2fa` endpoint of <xref:Microsoft.AspNetCore.Routing.IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi%2A> in the server app.
 
 `Identity/Models/TwoFactorResult.cs`:
 
@@ -99,7 +99,11 @@ namespace BlazorWasmAuth.Identity.Models
 
 ## `IAccountManagement` interface
 
-Add the following class signatures to the `IAccountManagment` interface.
+Add the following class signatures to the `IAccountManagement` interface. The class signatures represent methods added to the cookie authentication state provider for the following client requests:
+
+* Log in with a 2FA TOTP code (`/login` endpoint): `LoginTwoFactorCodeAsync`
+* Log in with a 2FA recovery code (`/login` endpoint): `LoginTwoFactorRecoveryCodeAsync`
+* Make a 2FA management request (`/manage/2fa` endpoint): `TwoFactorRequest`
 
 `Identity/IAccountManagement.cs` (paste the following code at the bottom of the interface):
 
@@ -109,20 +113,45 @@ public Task<FormResult> LoginTwoFactorCodeAsync(
     string password, 
     string twoFactorCode);
 
+public Task<FormResult> LoginTwoFactorRecoveryCodeAsync(
+    string email, 
+    string password, 
+    string twoFactorRecoveryCode);
+
 public Task<TwoFactorResult> TwoFactorRequest(
     bool enable = false, 
     string twoFactorCode = "", 
     bool resetSharedKey = false, 
     bool resetRecoveryCodes = false, 
     bool forgetMachine = false);
+```
 
-public Task<FormResult> LoginTwoFactorRecoveryCodeAsync(
-    string email, 
-    string password, 
-    string twoFactorRecoveryCode);
+## Update the cookie authentication state provider
+
+Update the `CookieAuthenticationStateProvider` with features to add the following features:
+
+* Authenticate users with either a TOTP authenticator app code or a recovery code.
+* Manage 2FA in the app.
+
+Add a class to hold deserialized response content for logging users into the app.
+
+Add the following `HttpResponseContent` class to `Identity/CookieAuthenticationStateProvider.cs`:
+
+```csharp
+private class HttpResponseContent
+{
+    public string? Type { get; set; }
+    public string? Title { get; set; }
+    public int Status {  get; set; }
+    public string? Detail {  get; set; }
+}
 ```
 
-## `CookieAuthenticationStateProvider`
+The `LoginAsync` method is updated with the following logic:
+
+* Attempts a normal login at the `/login` endpoint with an email address (user ID) and password.
+* If the server responds with a success status code, the method returns a `FormResult` with the `Succeeded` property set to `true`.
+* If the server responds with *401 - Unauthorized* status code and a detail code of "`RequiresTwoFactor`," a `FormResult` is returned with `Succeeded` set to `false` and the `RequiresTwoFactor` detail in the error list.
 
 In `Identity/CookieAuthenticationStateProvider.cs`, replace the `LoginAsync` method with the following code:
 
@@ -155,7 +184,7 @@ public async Task<FormResult> LoginAsync(string email, string password)
                 return new FormResult
                 {
                     Succeeded = false,
-                    ErrorList = ["RequiresTwoFactor"]
+                    ErrorList = [ "RequiresTwoFactor" ]
                 };
             }
         }
@@ -170,7 +199,9 @@ public async Task<FormResult> LoginAsync(string email, string password)
 }
 ```
 
-Add the following methods and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
+A `LoginTwoFactorCodeAsync` method is added, which sends a request to the `/login` endpoint with a 2FA TOTP code (`twoFactorCode`). Otherwise, the method processes the response in a similar fashion to a normal, non-2FA login request.
+
+Add the following method and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
 
 ```csharp
 public async Task<FormResult> LoginTwoFactorCodeAsync(
@@ -201,7 +232,54 @@ public async Task<FormResult> LoginTwoFactorCodeAsync(
         ErrorList = [ "Invalid email, password, or two-factor code."]
     };
 }
+```
+
+A `LoginTwoFactorRecoveryCodeAsync` method is added, which sends a request to the `/login` endpoint with a 2FA recovery code (`twoFactorRecoveryCode`). Otherwise, the method processes the response in a similar fashion to a normal, non-2FA login request.
 
+Add the following method and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
+
+```csharp
+public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email, 
+    string password, string twoFactorRecoveryCode)
+{
+    try
+    {
+        var result = await httpClient.PostAsJsonAsync(
+            "login?useCookies=true", new
+            {
+                email,
+                password,
+                twoFactorRecoveryCode
+            });
+
+        if (result.IsSuccessStatusCode)
+        {
+            NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
+
+            return new FormResult { Succeeded = true };
+        }
+    }
+    catch { }
+
+    return new FormResult
+    {
+        Succeeded = false,
+        ErrorList = [ "Invalid email, password, or two-factor code." ]
+    };
+}
+```
+
+A `TwoFactorRequest` method is added, which is used to manage 2FA for the user:
+
+* Reset the shared 2FA key.
+* Reset the user's recovery codes.
+* Forget the machine, which means that a new 2FA TOTP code is required on the next login attempt.
+* Enable 2FA using a 2FA code from a TOTP authenticator app.
+* Obtain 2FA status with an empty request.
+
+Add the following method and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
+
+```csharp
 public async Task<TwoFactorResult> TwoFactorRequest(
     bool enable,
     string twoFactorCode,
@@ -285,48 +363,15 @@ public async Task<TwoFactorResult> TwoFactorRequest(
         ErrorList = [ "There was an error processing the request." ]
     };
 }
-
-public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email, 
-    string password, string twoFactorRecoveryCode)
-{
-    try
-    {
-        var result = await httpClient.PostAsJsonAsync(
-            "login?useCookies=true", new
-            {
-                email,
-                password,
-                twoFactorRecoveryCode
-            });
-
-        if (result.IsSuccessStatusCode)
-        {
-            NotifyAuthenticationStateChanged(GetAuthenticationStateAsync());
-
-            return new FormResult { Succeeded = true };
-        }
-    }
-    catch { }
-
-    return new FormResult
-    {
-        Succeeded = false,
-        ErrorList = [ "Invalid email, password, or two-factor code." ]
-    };
-}
-
-private class HttpResponseContent
-{
-    public string? Type { get; set; }
-    public string? Title { get; set; }
-    public int Status {  get; set; }
-    public string? Detail {  get; set; }
-}
 ```
 
 ## Replace `Login` component
 
-Replace the `Login` component with the following code.
+Replace the `Login` component. The following version of the `Login` component:
+
+* Accepts a user's email address (user ID) and password for an initial login attempt.
+* If login is successful (2FA is diabled), the component notifies the user that they're authenticated.
+* If the login attempt results in a response indicating that 2FA is required, a 2FA input element appears to receive either a 2FA TOTP code from an authenticator app or a recovery code. Depending on which code the user enters, login is attempted again by calling either `LoginTwoFactorCodeAsync` for a TOTP code or `LoginTwoFactorRecoveryCodeAsync` for a recovery code.
 
 `Components/Identity/Login.razor`:
 
@@ -393,7 +438,7 @@ Replace the `Login` component with the following code.
                                     autocomplete="off" 
                                     placeholder="###### or #####-#####" />
                                 <label for="Input.TwoFactorCode" class="form-label">
-                                    2FA Authenticator Code (6 digits) or Recovery 
+                                    2FA Authenticator Code (######) or Recovery 
                                     Code (#####-#####, dash required)
                                 </label>
                                 <ValidationMessage For="() => Input.TwoFactorCode" 
@@ -485,9 +530,9 @@ Replace the `Login` component with the following code.
 }
 ```
 
-## Show recovery codes component
+## Add a component to display recovery codes
 
-Add the following `ShowRecoveryCode` component to the app.
+Add the following `ShowRecoveryCodes` component to the app to display recovery codes to the user.
 
 `Components/Identity/ShowRecoveryCodes.razor`:
 
@@ -522,7 +567,39 @@ Add the following `ShowRecoveryCode` component to the app.
 
 ## Manage 2FA page
 
-Add the following `Manage2fa` component.
+Add the following `Manage2fa` component to the app to manage 2FA for users.
+
+If 2FA isn't enabled, the component loads a form with a QR code to enable 2FA with a TOTP authenticator app. The user adds the app to their authenticator app and then verifies the authenticator app and enables 2FA by providing a TOTP code from the authenticator app.
+
+If 2FA is enabled, a button appears to disable 2FA.
+
+<!-- NOTE TO REVIEWERS!
+
+     I'm not discussing recovery code generation in this text yet
+     because I'm not clear on how that's supposed to work because
+     submitting such a request doesn't just re-gen the recovery 
+     codes ... it also disables 2FA. That might be a bug in the
+     API, but it's more likely that I don't understand the logic
+     of recovery code re-gen. I've sent an email to discuss
+     this point.
+
+     What we might be doing for this is simply removing the
+     recovery code re-gen (including from the cookie auth state
+     provider code method for `/manage/2fa` management). 
+     Leave it so that the codes are shown once when 2FA is 
+     enabled, and then don't permit re-gen from the app. If the 
+     user hasn't resolved their 2FA/TOTP app login situation 
+     (new phone, new TOTP app, etc.) and they've used all of 
+     their recovery codes, then they're simply locked out until 
+     customer service/IT reactivates their account.
+
+     BTW ... The 'forget machine' piece also doesn't seem
+     particularly relevant. Machines are always remembered by
+     the current API AFAICT. Perhaps, the only way to require
+     TOTP every login attempt is to call for forgetting the 
+     machine after every successful login ... not sure ... this
+     subject will be my follow-up question on the email convo.
+-->
 
 `Components/Identity/Manage2fa.razor`:
 
@@ -640,17 +717,18 @@ Add the following `Manage2fa` component.
                                         <DataAnnotationsValidator />
                                         <div class="form-floating mb-3">
                                             <InputText 
-                                            @bind-Value="Input.Code" 
-                                            id="Input.Code" 
-                                            class="form-control" 
-                                            autocomplete="off" 
-                                            placeholder="Enter the code" />
-                                            <label for="Input.Code" class="control-label form-label">
+                                                @bind-Value="Input.Code" 
+                                                id="Input.Code" 
+                                                class="form-control" 
+                                                autocomplete="off" 
+                                                placeholder="Enter the code" />
+                                            <label for="Input.Code" 
+                                                class="control-label form-label">
                                                 Verification Code
                                             </label>
                                             <ValidationMessage 
-                                            For="() => Input.Code" 
-                                            class="text-danger" />
+                                                For="() => Input.Code" 
+                                                class="text-danger" />
                                         </div>
                                         <button type="submit" class="w-100 btn btn-lg btn-primary">
                                             Verify
@@ -748,7 +826,7 @@ Add the following `Manage2fa` component.
 }
 ```
 
-Add the following [collocated JavaScript file](xref:blazor/js-interop/javascript-location#load-a-script-from-an-external-javascript-file-js-collocated-with-a-component).
+Add the following [collocated JavaScript file](xref:blazor/js-interop/javascript-location#load-a-script-from-an-external-javascript-file-js-collocated-with-a-component) to the project. The `setQrCode` function uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) to create a QR code from the URI string if the `qrCode` element is rendered by the `Manage2fa` component. To customize features of the generated QR code, see the library maintainer's documentation at their GitHub repository.
 
 `Components/Identity/Manage2fa.razor.js`:
 
@@ -769,19 +847,21 @@ export function setQrCode(qrCodeElement, uri) {
 
 ## Link to the the Manage 2FA page
 
-In the `<Authorized>` content of the `<AuthorizeView>` in `Components/Layout/NavMenu.razor`, add a link to the **Manage 2FA** page:
+Add a link to the navigation menu for users to reach the `Manage2fa` component page.
 
-```razor
+In the `<Authorized>` content of the `<AuthorizeView>` in `Components/Layout/NavMenu.razor`, add the following markup:
+
+```diff
 <AuthorizeView>
     <Authorized>
 
         ...
 
-        <div class="nav-item px-3">
-            <NavLink class="nav-link" href="manage-2fa">
-                <span class="bi bi-key" aria-hidden="true"></span> Manage 2FA
-            </NavLink>
-        </div>
++       <div class="nav-item px-3">
++           <NavLink class="nav-link" href="manage-2fa">
++               <span class="bi bi-key" aria-hidden="true"></span> Manage 2FA
++           </NavLink>
++       </div>
 
         ...
 

From 7310d53bb6631d512ef132b3e65a1578ef3f1ccf Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 25 Nov 2024 08:56:37 -0500
Subject: [PATCH 06/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         | 69 +++++++------------
 1 file changed, 26 insertions(+), 43 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 03a512034044..e507b275f837 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -370,7 +370,7 @@ public async Task<TwoFactorResult> TwoFactorRequest(
 Replace the `Login` component. The following version of the `Login` component:
 
 * Accepts a user's email address (user ID) and password for an initial login attempt.
-* If login is successful (2FA is diabled), the component notifies the user that they're authenticated.
+* If login is successful (2FA is disabled), the component notifies the user that they're authenticated.
 * If the login attempt results in a response indicating that 2FA is required, a 2FA input element appears to receive either a 2FA TOTP code from an authenticator app or a recovery code. Depending on which code the user enters, login is attempted again by calling either `LoginTwoFactorCodeAsync` for a TOTP code or `LoginTwoFactorRecoveryCodeAsync` for a recovery code.
 
 `Components/Identity/Login.razor`:
@@ -393,6 +393,12 @@ Replace the `Login` component. The following version of the `Login` component:
         <div class="alert alert-success">
             You're logged in as @context.User.Identity?.Name.
         </div>
+        @if (!string.IsNullOrEmpty(recoveryCodesRemainingMessage))
+        {
+            <div class="alert alert-warning">
+                @recoveryCodesRemainingMessage
+            </div>
+        }
     </Authorized>
     <NotAuthorized>
         @foreach (var error in formResult.ErrorList)
@@ -468,6 +474,7 @@ Replace the `Login` component. The following version of the `Login` component:
 @code {
     private FormResult formResult = new();
     private bool requiresTwoFactor;
+    private string? recoveryCodesRemainingMessage;
 
     [SupplyParameterFromForm]
     private InputModel Input { get; set; } = new();
@@ -490,6 +497,12 @@ Replace the `Login` component. The following version of the `Login` component:
                 {
                     formResult = await Acct.LoginTwoFactorRecoveryCodeAsync(
                         Input.Email, Input.Password, Input.TwoFactorCode);
+
+                    recoveryCodesRemainingMessage =
+                        $"You have {twoFactorResult.RecoveryCodesLeft} recovery " +
+                        "codes remaining.";
+
+                    StateHasChanged();
                 }
             }
         }
@@ -573,34 +586,6 @@ If 2FA isn't enabled, the component loads a form with a QR code to enable 2FA wi
 
 If 2FA is enabled, a button appears to disable 2FA.
 
-<!-- NOTE TO REVIEWERS!
-
-     I'm not discussing recovery code generation in this text yet
-     because I'm not clear on how that's supposed to work because
-     submitting such a request doesn't just re-gen the recovery 
-     codes ... it also disables 2FA. That might be a bug in the
-     API, but it's more likely that I don't understand the logic
-     of recovery code re-gen. I've sent an email to discuss
-     this point.
-
-     What we might be doing for this is simply removing the
-     recovery code re-gen (including from the cookie auth state
-     provider code method for `/manage/2fa` management). 
-     Leave it so that the codes are shown once when 2FA is 
-     enabled, and then don't permit re-gen from the app. If the 
-     user hasn't resolved their 2FA/TOTP app login situation 
-     (new phone, new TOTP app, etc.) and they've used all of 
-     their recovery codes, then they're simply locked out until 
-     customer service/IT reactivates their account.
-
-     BTW ... The 'forget machine' piece also doesn't seem
-     particularly relevant. Machines are always remembered by
-     the current API AFAICT. Perhaps, the only way to require
-     TOTP every login attempt is to call for forgetting the 
-     machine after every successful login ... not sure ... this
-     subject will be my follow-up question on the email convo.
--->
-
 `Components/Identity/Manage2fa.razor`:
 
 ```razor
@@ -631,7 +616,6 @@ If 2FA is enabled, a button appears to disable 2FA.
             {
                 <div class="alert alert-danger">@error</div>
             }
-
             @if (twoFactorResult.IsTwoFactorEnabled)
             {
                 <div class="alert alert-success" role="alert">
@@ -644,7 +628,7 @@ If 2FA is enabled, a button appears to disable 2FA.
                     </button>
                 </div>
 
-                @if (recoveryCodes is null)
+                @if (twoFactorResult.RecoveryCodes is null)
                 {
                     <div class="m-1">
                         <button @onclick="GenerateNewCodes" 
@@ -656,7 +640,7 @@ If 2FA is enabled, a button appears to disable 2FA.
                 else
                 {
                     <ShowRecoveryCodes 
-                        RecoveryCodes="twoFactorResult.RecoveryCodes.ToArray()" />
+                        RecoveryCodes="twoFactorResult.RecoveryCodes" />
                 }
             }
             else
@@ -710,10 +694,10 @@ If 2FA is enabled, a button appears to disable 2FA.
                             <div class="row">
                                 <div class="col-xl-6">
                                     <EditForm 
-                                    Model="Input" 
-                                    FormName="send-code" 
-                                    OnValidSubmit="OnValidSubmitAsync" 
-                                    method="post">
+                                            Model="Input" 
+                                            FormName="send-code" 
+                                            OnValidSubmit="OnValidSubmitAsync" 
+                                            method="post">
                                         <DataAnnotationsValidator />
                                         <div class="form-floating mb-3">
                                             <InputText 
@@ -722,8 +706,7 @@ If 2FA is enabled, a button appears to disable 2FA.
                                                 class="form-control" 
                                                 autocomplete="off" 
                                                 placeholder="Enter the code" />
-                                            <label for="Input.Code" 
-                                                class="control-label form-label">
+                                            <label for="Input.Code" class="control-label form-label">
                                                 Verification Code
                                             </label>
                                             <ValidationMessage 
@@ -781,7 +764,7 @@ If 2FA is enabled, a button appears to disable 2FA.
                 "otpauth://totp/{0}:{1}?secret={2}&issuer={0}&digits=6",
                 UrlEncoder.Default.Encode(Config["TotpOrganizationName"]!),
                 email,
-                twoFactorResult?.SharedKey);
+                twoFactorResult.SharedKey);
 
             await module.InvokeVoidAsync("setQrCode", qrCodeElement, uri);
         }
@@ -790,20 +773,20 @@ If 2FA is enabled, a button appears to disable 2FA.
     private async Task Disable2FA()
     {
         twoFactorResult = 
-            await Acct.TwoFactorRequest(enable: false, resetSharedKey: true);
+            await Acct.TwoFactorRequest(resetSharedKey: true);
     }
 
     private async Task GenerateNewCodes()
     {
         twoFactorResult = 
-            await Acct.TwoFactorRequest(enable: false, resetRecoveryCodes: true);
+            await Acct.TwoFactorRequest(resetRecoveryCodes: true);
     }
 
     private async Task OnValidSubmitAsync()
     {
         twoFactorResult = await Acct.TwoFactorRequest(enable: true, 
             twoFactorCode: Input.Code);
-        recoveryCodes = twoFactorResult.RecoveryCodes;
+        Input.Code = string.Empty;
     }
 
     private sealed class InputModel
@@ -832,7 +815,7 @@ Add the following [collocated JavaScript file](xref:blazor/js-interop/javascript
 
 ```javascript
 export function setQrCode(qrCodeElement, uri) {
-  if (qrCodeElement !== null) {
+  if (qrCodeElement !== null && !qrCodeElement.innerHTML.trim()) {
     QrCreator.render({
       text: uri,
       radius: 0,

From 22cbd85f40a6d01de3b266bbbaa0426ab77b25bf Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 25 Nov 2024 09:12:43 -0500
Subject: [PATCH 07/25] Updates

---
 .../standalone-with-identity/qrcodes-for-authenticator-apps.md   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index e507b275f837..544c19568c57 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -498,6 +498,7 @@ Replace the `Login` component. The following version of the `Login` component:
                     formResult = await Acct.LoginTwoFactorRecoveryCodeAsync(
                         Input.Email, Input.Password, Input.TwoFactorCode);
 
+                    var twoFactorResult = await Acct.TwoFactorRequest();
                     recoveryCodesRemainingMessage =
                         $"You have {twoFactorResult.RecoveryCodesLeft} recovery " +
                         "codes remaining.";

From ef6773358580d0a266de00501304702362cfe901 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 25 Nov 2024 10:14:21 -0500
Subject: [PATCH 08/25] Updates

---
 .../qrcodes-for-authenticator-apps.md                       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 544c19568c57..a9f05821155e 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -297,17 +297,17 @@ public async Task<TwoFactorResult> TwoFactorRequest(
         if (resetSharedKey)
         {
             response = await httpClient.PostAsJsonAsync("manage/2fa", 
-                new { enable, resetSharedKey });
+                new { resetSharedKey });
         }
         else if (resetRecoveryCodes)
         {
             response = await httpClient.PostAsJsonAsync("manage/2fa",
-                new { enable, resetRecoveryCodes });
+                new { resetRecoveryCodes });
         }
         else if (forgetMachine)
         {
             response = await httpClient.PostAsJsonAsync("manage/2fa", 
-                new { enable, forgetMachine });
+                new { forgetMachine });
         }
         else if (!string.IsNullOrEmpty(twoFactorCode))
         {

From 19f22b921ec4718236062d7f26ae2b162eabb5da Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Tue, 26 Nov 2024 07:56:26 -0500
Subject: [PATCH 09/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         | 253 +++++++++---------
 1 file changed, 128 insertions(+), 125 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index a9f05821155e..6c2817d9922c 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -76,24 +76,56 @@ The file after the TOTP organization name configuration is added:
 }
 ```
 
-## Add a model class for two-factor results
+## Add model classes
+
+Add the following `LoginResponse` class to the `Models` folder. This class is populated for requests to the `/login` endpoint of <xref:Microsoft.AspNetCore.Routing.IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi%2A> in the server app.
+
+`Identity/Models/LoginResponse.cs`:
+
+```csharp
+namespace BlazorWasmAuth.Identity.Models;
+
+public class LoginResponse
+{
+    public string? Type { get; set; }
+    public string? Title { get; set; }
+    public int Status { get; set; }
+    public string? Detail { get; set; }
+}
+```
+
+Add the following `TwoFactorRequest` class to the `Models` folder. This class is populated for requests to the `/manage/2fa` endpoint of <xref:Microsoft.AspNetCore.Routing.IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi%2A> in the server app.
+
+`Identity/Models/TwoFactorRequest.cs`:
+
+```csharp
+namespace BlazorWasmAuth.Identity.Models;
+
+public class TwoFactorRequest
+{
+    public bool? Enable { get; set; }
+    public string? TwoFactorCode { get; set; }
+    public bool? ResetSharedKey { get; set; }
+    public bool? ResetRecoveryCodes { get; set; }
+    public bool? ForgetMachine {  get; set; }
+}
+```
 
 Add the following `TwoFactorResult` class to the `Models` folder. This class is populated by the response to a 2FA request made to the `/manage/2fa` endpoint of <xref:Microsoft.AspNetCore.Routing.IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi%2A> in the server app.
 
 `Identity/Models/TwoFactorResult.cs`:
 
 ```csharp
-namespace BlazorWasmAuth.Identity.Models
+namespace BlazorWasmAuth.Identity.Models;
+
+public class TwoFactorResult
 {
-    public class TwoFactorResult
-    {
-        public string SharedKey { get; set; } = string.Empty;
-        public int RecoveryCodesLeft { get; set; } = 0;
-        public string[] RecoveryCodes { get; set; } = [];
-        public bool IsTwoFactorEnabled { get; set; }
-        public bool IsMachineRemembered { get; set; }
-        public string[] ErrorList { get; set; } = [];
-    }
+    public string SharedKey { get; set; } = string.Empty;
+    public int RecoveryCodesLeft { get; set; } = 0;
+    public string[] RecoveryCodes { get; set; } = [];
+    public bool IsTwoFactorEnabled { get; set; }
+    public bool IsMachineRemembered { get; set; }
+    public string[] ErrorList { get; set; } = [];
 }
 ```
 
@@ -119,11 +151,7 @@ public Task<FormResult> LoginTwoFactorRecoveryCodeAsync(
     string twoFactorRecoveryCode);
 
 public Task<TwoFactorResult> TwoFactorRequest(
-    bool enable = false, 
-    string twoFactorCode = "", 
-    bool resetSharedKey = false, 
-    bool resetRecoveryCodes = false, 
-    bool forgetMachine = false);
+    TwoFactorRequest twoFactorRequest);
 ```
 
 ## Update the cookie authentication state provider
@@ -133,18 +161,21 @@ Update the `CookieAuthenticationStateProvider` with features to add the followin
 * Authenticate users with either a TOTP authenticator app code or a recovery code.
 * Manage 2FA in the app.
 
-Add a class to hold deserialized response content for logging users into the app.
-
-Add the following `HttpResponseContent` class to `Identity/CookieAuthenticationStateProvider.cs`:
+At the top of the `CookieAuthenticationStateProvider.cs` file, add a `using` statement for <xref:System.Text.Json.Serialization?displayProperty=fullName>:
 
 ```csharp
-private class HttpResponseContent
-{
-    public string? Type { get; set; }
-    public string? Title { get; set; }
-    public int Status {  get; set; }
-    public string? Detail {  get; set; }
-}
+using System.Text.Json.Serialization;
+```
+
+In the <xref:System.Text.Json.JsonSerializerOptions>, add the <xref:System.Text.Json.JsonSerializerOptions.DefaultIgnoreCondition> option set to <xref:System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull?displayProperty=nameWithType>, which avoids serializing null properties:
+
+```diff
+private readonly JsonSerializerOptions jsonSerializerOptions =
+    new()
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
++       DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
+    };
 ```
 
 The `LoginAsync` method is updated with the following logic:
@@ -176,7 +207,7 @@ public async Task<FormResult> LoginAsync(string email, string password)
         else if (result.StatusCode == HttpStatusCode.Unauthorized)
         {
             var responseJson = await result.Content.ReadAsStringAsync();
-            var response = JsonSerializer.Deserialize<HttpResponseContent>(
+            var response = JsonSerializer.Deserialize<LoginResponse>(
                 responseJson, jsonSerializerOptions);
 
             if (response?.Detail == "RequiresTwoFactor")
@@ -229,7 +260,7 @@ public async Task<FormResult> LoginTwoFactorCodeAsync(
     return new FormResult
     {
         Succeeded = false,
-        ErrorList = [ "Invalid email, password, or two-factor code."]
+        ErrorList = [ "Invalid two-factor code." ]
     };
 }
 ```
@@ -264,103 +295,66 @@ public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email,
     return new FormResult
     {
         Succeeded = false,
-        ErrorList = [ "Invalid email, password, or two-factor code." ]
+        ErrorList = [ "Invalid recovery code." ]
     };
 }
 ```
 
 A `TwoFactorRequest` method is added, which is used to manage 2FA for the user:
 
-* Reset the shared 2FA key.
-* Reset the user's recovery codes.
-* Forget the machine, which means that a new 2FA TOTP code is required on the next login attempt.
-* Enable 2FA using a 2FA code from a TOTP authenticator app.
-* Obtain 2FA status with an empty request.
+* Reset the shared 2FA key when `TwoFactorRequest.ResetSharedKey` is `true`. Resetting the shared key implicitly disables two-factor authentication. This forces the user to prove that they can provide a valid TOTP code from their authenticator app to enable 2FA after receiving a new shared key.
+* Reset the user's recovery codes when `TwoFactorRequest.ResetRecoveryCodes` is `true`.
+* Forget the machine when `TwoFactorRequest.ForgetMachine` is `true`, which means that a new 2FA TOTP code is required on the next login attempt.
+* Enable 2FA using a 2FA code from a TOTP authenticator app when `TwoFactorRequest.Enable` is `true` and `TwoFactorRequest.TwoFactorCode` has a valid TOTP value.
+* Obtain 2FA status with an empty request when all of `TwoFactorRequest`'s properties are `null`.
 
-Add the following method and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
+Add the following `TwoFactorRequest` method to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
 
 ```csharp
-public async Task<TwoFactorResult> TwoFactorRequest(
-    bool enable,
-    string twoFactorCode,
-    bool resetSharedKey,
-    bool resetRecoveryCodes,
-    bool forgetMachine)
+public async Task<TwoFactorResult> TwoFactorRequest(TwoFactorRequest twoFactorRequest)
 {
     string[] defaultDetail = 
         [ "An unknown error prevented two-factor authentication." ];
 
-    try
+    var response = await httpClient.PostAsJsonAsync("manage/2fa", twoFactorRequest, 
+        jsonSerializerOptions);
+
+    // successful?
+    if (response.IsSuccessStatusCode)
     {
-        HttpResponseMessage response;
+        return await response.Content
+            .ReadFromJsonAsync<TwoFactorResult>() ??
+            new()
+            { 
+                ErrorList = [ "There was an error processing the request." ]
+            };
+    }
 
-        if (resetSharedKey)
-        {
-            response = await httpClient.PostAsJsonAsync("manage/2fa", 
-                new { resetSharedKey });
-        }
-        else if (resetRecoveryCodes)
-        {
-            response = await httpClient.PostAsJsonAsync("manage/2fa",
-                new { resetRecoveryCodes });
-        }
-        else if (forgetMachine)
-        {
-            response = await httpClient.PostAsJsonAsync("manage/2fa", 
-                new { forgetMachine });
-        }
-        else if (!string.IsNullOrEmpty(twoFactorCode))
-        {
-            response = await httpClient.PostAsJsonAsync("manage/2fa", 
-                new { enable, twoFactorCode });
-        }
-        else
-        {
-            response = await httpClient.PostAsJsonAsync("manage/2fa", 
-                new { });
-        }
+    // body should contain details about why it failed
+    var details = await response.Content.ReadAsStringAsync();
+    var problemDetails = JsonDocument.Parse(details);
+    var errors = new List<string>();
+    var errorList = problemDetails.RootElement.GetProperty("errors");
 
-        if (response.IsSuccessStatusCode)
+    foreach (var errorEntry in errorList.EnumerateObject())
+    {
+        if (errorEntry.Value.ValueKind == JsonValueKind.String)
         {
-            return await response.Content
-                .ReadFromJsonAsync<TwoFactorResult>() ??
-                new()
-                { 
-                    ErrorList = 
-                        [ "There was an error processing the request." ]
-                };
+            errors.Add(errorEntry.Value.GetString()!);
         }
-
-        var details = await response.Content.ReadAsStringAsync();
-        var problemDetails = JsonDocument.Parse(details);
-        var errors = new List<string>();
-        var errorList = problemDetails.RootElement.GetProperty("errors");
-
-        foreach (var errorEntry in errorList.EnumerateObject())
+        else if (errorEntry.Value.ValueKind == JsonValueKind.Array)
         {
-            if (errorEntry.Value.ValueKind == JsonValueKind.String)
-            {
-                errors.Add(errorEntry.Value.GetString()!);
-            }
-            else if (errorEntry.Value.ValueKind == JsonValueKind.Array)
-            {
-                errors.AddRange(
-                    errorEntry.Value.EnumerateArray().Select(
-                        e => e.GetString() ?? string.Empty)
-                    .Where(e => !string.IsNullOrEmpty(e)));
-            }
+            errors.AddRange(
+                errorEntry.Value.EnumerateArray().Select(
+                    e => e.GetString() ?? string.Empty)
+                .Where(e => !string.IsNullOrEmpty(e)));
         }
-
-        return new TwoFactorResult
-        {
-            ErrorList = problemDetails == null ? defaultDetail : [.. errors]
-        };
     }
-    catch { }
 
+    // return the error list
     return new TwoFactorResult
     {
-        ErrorList = [ "There was an error processing the request." ]
+        ErrorList = problemDetails == null ? defaultDetail : [.. errors]
     };
 }
 ```
@@ -416,8 +410,10 @@ Replace the `Login` component. The following version of the `Login` component:
                         <div style="display:@(requiresTwoFactor ? "none" : "block")">
                             <div class="form-floating mb-3">
                                 <InputText @bind-Value="Input.Email" 
-                                    id="Input.Email" class="form-control" 
-                                    autocomplete="username" aria-required="true" 
+                                    id="Input.Email" 
+                                    class="form-control" 
+                                    autocomplete="username" 
+                                    aria-required="true" 
                                     placeholder="name@example.com" />
                                 <label for="Input.Email" class="form-label">
                                     Email
@@ -427,9 +423,12 @@ Replace the `Login` component. The following version of the `Login` component:
                             </div>
                             <div class="form-floating mb-3">
                                 <InputText type="password" 
-                                    @bind-Value="Input.Password" id="Input.Password" 
-                                    class="form-control" autocomplete="current-password" 
-                                    aria-required="true" placeholder="password" />
+                                    @bind-Value="Input.Password" 
+                                    id="Input.Password" 
+                                    class="form-control" 
+                                    autocomplete="current-password" 
+                                    aria-required="true" 
+                                    placeholder="password" />
                                 <label for="Input.Password" class="form-label">
                                     Password
                                 </label>
@@ -440,12 +439,12 @@ Replace the `Login` component. The following version of the `Login` component:
                         <div style="display:@(requiresTwoFactor ? "block" : "none")">
                             <div class="form-floating mb-3">
                                 <InputText @bind-Value="Input.TwoFactorCode" 
-                                    id="Input.TwoFactorCode" class="form-control" 
+                                    id="Input.TwoFactorCode" 
+                                    class="form-control" 
                                     autocomplete="off" 
                                     placeholder="###### or #####-#####" />
                                 <label for="Input.TwoFactorCode" class="form-label">
-                                    2FA Authenticator Code (######) or Recovery 
-                                    Code (#####-#####, dash required)
+                                    2FA Authenticator Code or Recovery Code
                                 </label>
                                 <ValidationMessage For="() => Input.TwoFactorCode" 
                                     class="text-danger" />
@@ -456,7 +455,7 @@ Replace the `Login` component. The following version of the `Login` component:
                                 Log in
                             </button>
                         </div>
-                        <div>
+                        <div class="mt-3">
                             <p>
                                 <a href="forgot-password">Forgot password</a>
                             </p>
@@ -498,12 +497,13 @@ Replace the `Login` component. The following version of the `Login` component:
                     formResult = await Acct.LoginTwoFactorRecoveryCodeAsync(
                         Input.Email, Input.Password, Input.TwoFactorCode);
 
-                    var twoFactorResult = await Acct.TwoFactorRequest();
-                    recoveryCodesRemainingMessage =
-                        $"You have {twoFactorResult.RecoveryCodesLeft} recovery " +
-                        "codes remaining.";
-
-                    StateHasChanged();
+                    if (formResult.Succeeded)
+                    {
+                        var twoFactorResult = await Acct.TwoFactorRequest(new());
+                        recoveryCodesRemainingMessage =
+                            $"You have {twoFactorResult.RecoveryCodesLeft} recovery " +
+                            "codes remaining.";
+                    }
                 }
             }
         }
@@ -694,8 +694,7 @@ If 2FA is enabled, a button appears to disable 2FA.
                             </p>
                             <div class="row">
                                 <div class="col-xl-6">
-                                    <EditForm 
-                                            Model="Input" 
+                                    <EditForm Model="Input" 
                                             FormName="send-code" 
                                             OnValidSubmit="OnValidSubmitAsync" 
                                             method="post">
@@ -707,7 +706,8 @@ If 2FA is enabled, a button appears to disable 2FA.
                                                 class="form-control" 
                                                 autocomplete="off" 
                                                 placeholder="Enter the code" />
-                                            <label for="Input.Code" class="control-label form-label">
+                                            <label for="Input.Code" 
+                                                    class="control-label form-label">
                                                 Verification Code
                                             </label>
                                             <ValidationMessage 
@@ -729,7 +729,6 @@ If 2FA is enabled, a button appears to disable 2FA.
 </div>
 
 @code {
-    private IEnumerable<string>? recoveryCodes;
     private IJSObjectReference? module;
     private TwoFactorResult twoFactorResult = new();
     private ElementReference qrCodeElement;
@@ -742,7 +741,7 @@ If 2FA is enabled, a button appears to disable 2FA.
 
     protected override async Task OnInitializedAsync()
     {
-        twoFactorResult = await Acct.TwoFactorRequest();
+        twoFactorResult = await Acct.TwoFactorRequest(new());
     }
 
     protected override async Task OnAfterRenderAsync(bool firstRender)
@@ -774,19 +773,23 @@ If 2FA is enabled, a button appears to disable 2FA.
     private async Task Disable2FA()
     {
         twoFactorResult = 
-            await Acct.TwoFactorRequest(resetSharedKey: true);
+            await Acct.TwoFactorRequest(new() { ResetSharedKey = true });
     }
 
     private async Task GenerateNewCodes()
     {
         twoFactorResult = 
-            await Acct.TwoFactorRequest(resetRecoveryCodes: true);
+            await Acct.TwoFactorRequest(new() { ResetRecoveryCodes = true });
     }
 
     private async Task OnValidSubmitAsync()
     {
-        twoFactorResult = await Acct.TwoFactorRequest(enable: true, 
-            twoFactorCode: Input.Code);
+        twoFactorResult = await Acct.TwoFactorRequest(
+            new() 
+            { 
+                Enable = true, 
+                TwoFactorCode = Input.Code 
+            });
         Input.Code = string.Empty;
     }
 

From e67b8a8eb0ed9433352c15a2604a33b7e92170f7 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Tue, 26 Nov 2024 08:06:24 -0500
Subject: [PATCH 10/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 6c2817d9922c..1be6688e1c2f 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -135,7 +135,7 @@ Add the following class signatures to the `IAccountManagement` interface. The cl
 
 * Log in with a 2FA TOTP code (`/login` endpoint): `LoginTwoFactorCodeAsync`
 * Log in with a 2FA recovery code (`/login` endpoint): `LoginTwoFactorRecoveryCodeAsync`
-* Make a 2FA management request (`/manage/2fa` endpoint): `TwoFactorRequest`
+* Make a 2FA management request (`/manage/2fa` endpoint): `TwoFactorRequestAsync`
 
 `Identity/IAccountManagement.cs` (paste the following code at the bottom of the interface):
 
@@ -150,7 +150,7 @@ public Task<FormResult> LoginTwoFactorRecoveryCodeAsync(
     string password, 
     string twoFactorRecoveryCode);
 
-public Task<TwoFactorResult> TwoFactorRequest(
+public Task<TwoFactorResult> TwoFactorRequestAsync(
     TwoFactorRequest twoFactorRequest);
 ```
 
@@ -300,7 +300,7 @@ public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email,
 }
 ```
 
-A `TwoFactorRequest` method is added, which is used to manage 2FA for the user:
+A `TwoFactorRequestAsync` method is added, which is used to manage 2FA for the user:
 
 * Reset the shared 2FA key when `TwoFactorRequest.ResetSharedKey` is `true`. Resetting the shared key implicitly disables two-factor authentication. This forces the user to prove that they can provide a valid TOTP code from their authenticator app to enable 2FA after receiving a new shared key.
 * Reset the user's recovery codes when `TwoFactorRequest.ResetRecoveryCodes` is `true`.
@@ -308,10 +308,10 @@ A `TwoFactorRequest` method is added, which is used to manage 2FA for the user:
 * Enable 2FA using a 2FA code from a TOTP authenticator app when `TwoFactorRequest.Enable` is `true` and `TwoFactorRequest.TwoFactorCode` has a valid TOTP value.
 * Obtain 2FA status with an empty request when all of `TwoFactorRequest`'s properties are `null`.
 
-Add the following `TwoFactorRequest` method to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
+Add the following `TwoFactorRequestAsync` method to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
 
 ```csharp
-public async Task<TwoFactorResult> TwoFactorRequest(TwoFactorRequest twoFactorRequest)
+public async Task<TwoFactorResult> TwoFactorRequestAsync(TwoFactorRequest twoFactorRequest)
 {
     string[] defaultDetail = 
         [ "An unknown error prevented two-factor authentication." ];
@@ -499,7 +499,7 @@ Replace the `Login` component. The following version of the `Login` component:
 
                     if (formResult.Succeeded)
                     {
-                        var twoFactorResult = await Acct.TwoFactorRequest(new());
+                        var twoFactorResult = await Acct.TwoFactorRequestAsync(new());
                         recoveryCodesRemainingMessage =
                             $"You have {twoFactorResult.RecoveryCodesLeft} recovery " +
                             "codes remaining.";
@@ -741,7 +741,7 @@ If 2FA is enabled, a button appears to disable 2FA.
 
     protected override async Task OnInitializedAsync()
     {
-        twoFactorResult = await Acct.TwoFactorRequest(new());
+        twoFactorResult = await Acct.TwoFactorRequestAsync(new());
     }
 
     protected override async Task OnAfterRenderAsync(bool firstRender)
@@ -773,18 +773,18 @@ If 2FA is enabled, a button appears to disable 2FA.
     private async Task Disable2FA()
     {
         twoFactorResult = 
-            await Acct.TwoFactorRequest(new() { ResetSharedKey = true });
+            await Acct.TwoFactorRequestAsync(new() { ResetSharedKey = true });
     }
 
     private async Task GenerateNewCodes()
     {
         twoFactorResult = 
-            await Acct.TwoFactorRequest(new() { ResetRecoveryCodes = true });
+            await Acct.TwoFactorRequestAsync(new() { ResetRecoveryCodes = true });
     }
 
     private async Task OnValidSubmitAsync()
     {
-        twoFactorResult = await Acct.TwoFactorRequest(
+        twoFactorResult = await Acct.TwoFactorRequestAsync(
             new() 
             { 
                 Enable = true, 

From 8e328eb07cb23c0d5ce0ee1dc3c82be879765b5c Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 2 Dec 2024 08:37:49 -0500
Subject: [PATCH 11/25] Updates

---
 aspnetcore/blazor/fundamentals/index.md         |  1 +
 .../security/qrcodes-for-authenticator-apps.md  | 10 +++++-----
 .../qrcodes-for-authenticator-apps.md           | 17 +++++++----------
 3 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/aspnetcore/blazor/fundamentals/index.md b/aspnetcore/blazor/fundamentals/index.md
index 1bf538ba6cb1..163b62cf2ca3 100644
--- a/aspnetcore/blazor/fundamentals/index.md
+++ b/aspnetcore/blazor/fundamentals/index.md
@@ -69,6 +69,7 @@ Blazor documentation adopts several conventions for showing and discussing compo
 * [Component parameter](xref:blazor/components/index#component-parameters) values lead with a [Razor reserved `@` symbol](xref:mvc/views/razor#razor-syntax), but it isn't required. Literals (for example, boolean values), keywords (for example, `this`), and `null` as component parameter values aren't prefixed with `@`, but this is also merely a documentation convention. Your own code can prefix literals with `@` if you wish.
 * C# classes use the [`this` keyword](/dotnet/csharp/language-reference/keywords/this) and avoid prefixing fields with an underscore (`_`) that are assigned to in constructors, which differs from the [ASP.NET Core framework engineering guidelines](https://github.com/dotnet/aspnetcore/wiki/Engineering-guidelines).
 * In examples that use [primary constructors (C# 12 or later)](/dotnet/csharp/whats-new/tutorials/primary-constructors), primary constructor parameters are typically used directly by class members.
+* In article code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks, but you're welcome to condense the code in your own apps by removing the artificial line breaks after you paste the code into a project.
 
 Additional information on Razor component syntax is provided in the *Razor syntax* section of <xref:blazor/components/index#razor-syntax>.
 
diff --git a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
index 85533c533e75..5c1ddff0c1b9 100644
--- a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
@@ -11,12 +11,12 @@ uid: blazor/security/qrcodes-for-authenticator-apps
 
 [!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
 
-This article explains how to configure an ASP.NET Core Blazor Web App with QR code generation for Time-based One-time Password Algorithm (TOTP) authenticator apps.
+This article explains how to configure an ASP.NET Core Blazor Web App for two-factor authentication (2FA) with QR codes generated by Time-based One-time Password Algorithm (TOTP) authenticator apps.
 
-For an introduction to two-factor authentication (2FA) using a TOTP authenticator app, see <xref:security/authentication/identity-enable-qrcodes>.
+For an introduction to 2FA with TOTP authenticator apps, see <xref:security/authentication/identity-enable-qrcodes>.
 
 > [!WARNING]
-> TOTP codes should be kept secret because it can be used to authenticate successfully multiple times before it expires.
+> TOTP codes should be kept secret because they can be used to authenticate multiple times before they expire.
 
 ## Scaffold the Enable Authenticator component into the app
 
@@ -33,9 +33,9 @@ For more information, see <xref:security/authentication/scaffold-identity>. For
 
 ## Adding QR codes to the 2FA configuration page
 
-QR codes for use by TOTP authenticator apps must be generated by a QR code library.
+A QR code generated by the app to set up 2FA with an TOTP authenticator app must be generated by a QR code library.
 
-The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator), but you can use any general QR code generation library.
+The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator), but you can use any QR code generation library.
 
 Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the solution's server project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer (see the [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) GitHub repository for details).
 
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 1be6688e1c2f..ff8d2619bd58 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -1,7 +1,7 @@
 ---
 title: Enable QR code generation for TOTP authenticator apps in ASP.NET Core Blazor WebAssembly with ASP.NET Core Identity
 author: guardrex
-description: Learn how to configure an ASP.NET Core Blazor WebAssembly app with Identity for QR code generation with TOTP authenticator app.
+description: Learn how to configure an ASP.NET Core Blazor WebAssembly app with Identity for QR code generation with TOTP authenticator apps.
 ms.author: riande
 monikerRange: '>= aspnetcore-8.0'
 ms.date: 11/21/2024
@@ -11,15 +11,12 @@ uid: blazor/security/webassembly/standalone-with-identity/qrcodes-for-authentica
 
 [!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
 
-This article explains how to configure an ASP.NET Core Blazor WebAssembly app with Identity with QR code generation for Time-based One-time Password Algorithm (TOTP) authenticator apps.
+This article explains how to configure an ASP.NET Core Blazor WebAssembly app with Identity for two-factor authentication (2FA) with QR codes generated by Time-based One-time Password Algorithm (TOTP) authenticator apps.
 
-> [!NOTE]
-> This article only applies standalone Blazor WebAssembly apps with a server backend web API that adopts ASP.NET Core Identity. To implement QR code generation for Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>.
-
-For an introduction to two-factor authentication (2FA) using a TOTP authenticator app, see <xref:security/authentication/identity-enable-qrcodes>.
+For an introduction to 2FA with TOTP authenticator apps, see <xref:security/authentication/identity-enable-qrcodes>.
 
 > [!WARNING]
-> TOTP codes should be kept secret because it can be used to authenticate successfully multiple times before it expires.
+> TOTP codes should be kept secret because they can be used to authenticate multiple times before they expire.
 
 ## Namespaces and article code examples
 
@@ -34,7 +31,7 @@ If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample, change
 
 All of the changes to the solution covered by this article take place in the `BlazorWasmAuth` project.
 
-In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks. You're welcome to condense the code in your own apps by removing the artificial line breaks after you paste the code into a project.
+In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks, but you're welcome to condense the code by removing the artificial line breaks after you paste the code into a project.
 
 ## Optional account confirmation and password recovery
 
@@ -42,9 +39,9 @@ Although apps that implement 2FA authentication often adopt account confirmation
 
 ## Add a QR code library to the app
 
-QR codes for use by TOTP authenticator apps must be generated by a QR code library.
+A QR code generated by the app to set up 2FA with an TOTP authenticator app must be generated by a QR code library.
 
-The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator), but you can use any general QR code generation library.
+The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator), but you can use any QR code generation library.
 
 Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the `wwwroot` folder of the client project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer (see the [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) GitHub repository for details).
 

From 8dfe0bb5d7cde593d4e4a1ba0f9921a554836ad4 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Mon, 2 Dec 2024 10:32:20 -0500
Subject: [PATCH 12/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         |   2 +-
 ...ount-confirmation-and-password-recovery.md |   4 +-
 .../qrcodes-for-authenticator-apps.md         | 306 ++++++++++--------
 3 files changed, 168 insertions(+), 144 deletions(-)

diff --git a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
index 5c1ddff0c1b9..f6f791a85d3e 100644
--- a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
@@ -120,7 +120,7 @@ Make the following changes:
 + <div id="qrCodeData" data-url="@authenticatorUri"></div>
 ```
 
-Change the site name in the `GenerateQrCodeUri` method of the `EnableAuthenticator` component. The default value is `Microsoft.AspNetCore.Identity.UI`. Change the value to a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. Examples: Yahoo, Amazon, Etsy, Microsoft, Zoho. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
+Change the site name in the `GenerateQrCodeUri` method of the `EnableAuthenticator` component. The default value is `Microsoft.AspNetCore.Identity.UI`. Change the value to a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
 
 In the following example, the default value `Microsoft.AspNetCore.Identity.UI` is changed to the company name `Weyland-Yutani Corporation` (&copy;1986 20th Century Studios [*Aliens*](https://www.20thcenturystudios.com/movies/aliens)).
 
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
index e31006c1b94e..02c9e7e6eb53 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
@@ -27,8 +27,6 @@ These namespaces correspond to the projects in the `BlazorWebAssemblyStandaloneW
 
 If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample solution, change the namespaces in the code examples to use the namespaces of your projects.
 
-In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks. You're welcome to condense the code in your own apps by removing the artificial line breaks after you paste the code into a project.
-
 ## Select and configure an email provider for the server project
 
 In this article, [Mailchimp's Transactional API](https://mailchimp.com/developer/transactional/api/) is used via [Mandrill.net](https://www.nuget.org/packages/Mandrill.net) to send email. We recommend using an email service to send email rather than SMTP. SMTP is difficult to configure and secure properly. Whichever email service you use, access their guidance for .NET apps, create an account, configure an API key for their service, and install any NuGet packages required.
@@ -160,7 +158,7 @@ Locate the line that calls <xref:Microsoft.Extensions.DependencyInjection.Identi
 In the client project's `Register` component (`Components/Identity/Register.razor`), change the message to users on a successful account registration to instruct them to confirm their account. The following example includes a link to trigger Identity on the server to resend the confirmation email.
 
 ```diff
-- You successfully registered. Now you can <a href="login">login</a>.
+- You successfully registered and can <a href="login">login</a> to the app.
 + You successfully registered. You must now confirm your account by clicking 
 + the link in the email that was sent to you. After confirming your account, 
 + you can <a href="login">login</a> to the app. 
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index ff8d2619bd58..a7ff5e3f3881 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -22,20 +22,20 @@ For an introduction to 2FA with TOTP authenticator apps, see <xref:security/auth
 
 The namespaces used by the examples in this article are:
 
-* `Backend` for the backend server web API project ("server project" in this article).
-* `BlazorWasmAuth` for the front-end client standalone Blazor WebAssembly app ("client project" in this article).
+* `Backend` for the backend server web API project, described as the "server project" in this article.
+* `BlazorWasmAuth` for the front-end client standalone Blazor WebAssembly app, described as the "client project" in this article.
 
 These namespaces correspond to the projects in the `BlazorWebAssemblyStandaloneWithIdentity` sample solution in the [`dotnet/blazor-samples` GitHub repository](https://github.com/dotnet/blazor-samples). For more information, see <xref:blazor/security/webassembly/standalone-with-identity/index#sample-apps>.
 
 If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample, change the namespaces in the code examples to use the namespaces of your projects.
 
-All of the changes to the solution covered by this article take place in the `BlazorWasmAuth` project.
+All of the changes to the solution covered by this article take place in the `BlazorWasmAuth` project of the `BlazorWebAssemblyStandaloneWithIdentity` solution.
 
-In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks, but you're welcome to condense the code by removing the artificial line breaks after you paste the code into a project.
+In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks, but you're welcome to condense the code by removing the artificial line breaks after you paste the code into the project.
 
 ## Optional account confirmation and password recovery
 
-Although apps that implement 2FA authentication often adopt account confirmation and password recovery features, 2FA authentication doesn't require it. The guidance in this article can be followed to implement 2FA without following the guidance in <xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery>.
+Although apps that implement 2FA usually adopt account confirmation and password recovery features, 2FA doesn't require it. The guidance in this article can be followed to implement 2FA without following the guidance in <xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery>.
 
 ## Add a QR code library to the app
 
@@ -45,7 +45,7 @@ The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/
 
 Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the `wwwroot` folder of the client project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer (see the [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) GitHub repository for details).
 
-In the client project's `wwwroot/index.html` file, add the following `<script>` tag immediately after the [Blazor's `<script>` tag](xref:blazor/project-structure#location-of-the-blazor-script):
+In the client project's `wwwroot/index.html` file, add the following `<script>` tag immediately after [Blazor's `<script>` tag](xref:blazor/project-structure#location-of-the-blazor-script):
 
 ```html
 <script src="qr-creator.min.js"></script>
@@ -53,7 +53,7 @@ In the client project's `wwwroot/index.html` file, add the following `<script>`
 
 ## Set the TOTP organization name
 
-Set the site name in the app settings file of the client project. Use a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. Examples: Yahoo, Amazon, Etsy, Microsoft, Zoho. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
+Set the site name in the app settings file of the client project. Use a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
 
 In the following example, the the company name is `Weyland-Yutani Corporation` (&copy;1986 20th Century Studios [*Aliens*](https://www.20thcenturystudios.com/movies/aliens)).
 
@@ -63,7 +63,7 @@ Added to `wwwroot/appsettings.json`:
 "TotpOrganizationName": "Weyland-Yutani Corporation"
 ```
 
-The file after the TOTP organization name configuration is added:
+The app settings file after the TOTP organization name configuration is added:
 
 ```json
 {
@@ -108,14 +108,14 @@ public class TwoFactorRequest
 }
 ```
 
-Add the following `TwoFactorResult` class to the `Models` folder. This class is populated by the response to a 2FA request made to the `/manage/2fa` endpoint of <xref:Microsoft.AspNetCore.Routing.IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi%2A> in the server app.
+Add the following `TwoFactorResponse` class to the `Models` folder. This class is populated by the response to a 2FA request made to the `/manage/2fa` endpoint of <xref:Microsoft.AspNetCore.Routing.IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi%2A> in the server app.
 
-`Identity/Models/TwoFactorResult.cs`:
+`Identity/Models/TwoFactorResponse.cs`:
 
 ```csharp
 namespace BlazorWasmAuth.Identity.Models;
 
-public class TwoFactorResult
+public class TwoFactorResponse
 {
     public string SharedKey { get; set; } = string.Empty;
     public int RecoveryCodesLeft { get; set; } = 0;
@@ -134,7 +134,7 @@ Add the following class signatures to the `IAccountManagement` interface. The cl
 * Log in with a 2FA recovery code (`/login` endpoint): `LoginTwoFactorRecoveryCodeAsync`
 * Make a 2FA management request (`/manage/2fa` endpoint): `TwoFactorRequestAsync`
 
-`Identity/IAccountManagement.cs` (paste the following code at the bottom of the interface):
+`Identity/IAccountManagement.cs` (paste the following code at the bottom of the file):
 
 ```csharp
 public Task<FormResult> LoginTwoFactorCodeAsync(
@@ -147,7 +147,7 @@ public Task<FormResult> LoginTwoFactorRecoveryCodeAsync(
     string password, 
     string twoFactorRecoveryCode);
 
-public Task<TwoFactorResult> TwoFactorRequestAsync(
+public Task<TwoFactorResponse> TwoFactorRequestAsync(
     TwoFactorRequest twoFactorRequest);
 ```
 
@@ -177,9 +177,9 @@ private readonly JsonSerializerOptions jsonSerializerOptions =
 
 The `LoginAsync` method is updated with the following logic:
 
-* Attempts a normal login at the `/login` endpoint with an email address (user ID) and password.
+* Attempt a normal login at the `/login` endpoint with an email address and password.
 * If the server responds with a success status code, the method returns a `FormResult` with the `Succeeded` property set to `true`.
-* If the server responds with *401 - Unauthorized* status code and a detail code of "`RequiresTwoFactor`," a `FormResult` is returned with `Succeeded` set to `false` and the `RequiresTwoFactor` detail in the error list.
+* If the server responds with the *401 - Unauthorized* status code and a detail code of "`RequiresTwoFactor`," a `FormResult` is returned with `Succeeded` set to `false` and the `RequiresTwoFactor` detail in the error list.
 
 In `Identity/CookieAuthenticationStateProvider.cs`, replace the `LoginAsync` method with the following code:
 
@@ -227,7 +227,7 @@ public async Task<FormResult> LoginAsync(string email, string password)
 }
 ```
 
-A `LoginTwoFactorCodeAsync` method is added, which sends a request to the `/login` endpoint with a 2FA TOTP code (`twoFactorCode`). Otherwise, the method processes the response in a similar fashion to a normal, non-2FA login request.
+A `LoginTwoFactorCodeAsync` method is added, which sends a request to the `/login` endpoint with a 2FA TOTP code (`twoFactorCode`). The method processes the response in a similar fashion to a normal, non-2FA login request.
 
 Add the following method and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
 
@@ -262,7 +262,7 @@ public async Task<FormResult> LoginTwoFactorCodeAsync(
 }
 ```
 
-A `LoginTwoFactorRecoveryCodeAsync` method is added, which sends a request to the `/login` endpoint with a 2FA recovery code (`twoFactorRecoveryCode`). Otherwise, the method processes the response in a similar fashion to a normal, non-2FA login request.
+A `LoginTwoFactorRecoveryCodeAsync` method is added, which sends a request to the `/login` endpoint with a 2FA recovery code (`twoFactorRecoveryCode`). The method processes the response in a similar fashion to a normal, non-2FA login request.
 
 Add the following method and class to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
 
@@ -299,16 +299,16 @@ public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email,
 
 A `TwoFactorRequestAsync` method is added, which is used to manage 2FA for the user:
 
-* Reset the shared 2FA key when `TwoFactorRequest.ResetSharedKey` is `true`. Resetting the shared key implicitly disables two-factor authentication. This forces the user to prove that they can provide a valid TOTP code from their authenticator app to enable 2FA after receiving a new shared key.
+* Reset the shared 2FA key when `TwoFactorRequest.ResetSharedKey` is `true`. Resetting the shared key implicitly disables 2FA. This forces the user to prove that they can provide a valid TOTP code from their authenticator app to enable 2FA after receiving a new shared key.
 * Reset the user's recovery codes when `TwoFactorRequest.ResetRecoveryCodes` is `true`.
 * Forget the machine when `TwoFactorRequest.ForgetMachine` is `true`, which means that a new 2FA TOTP code is required on the next login attempt.
-* Enable 2FA using a 2FA code from a TOTP authenticator app when `TwoFactorRequest.Enable` is `true` and `TwoFactorRequest.TwoFactorCode` has a valid TOTP value.
+* Enable 2FA using a TOTP code from a TOTP authenticator app when `TwoFactorRequest.Enable` is `true` and `TwoFactorRequest.TwoFactorCode` has a valid TOTP value.
 * Obtain 2FA status with an empty request when all of `TwoFactorRequest`'s properties are `null`.
 
 Add the following `TwoFactorRequestAsync` method to `Identity/CookieAuthenticationStateProvider.cs` (paste the following code at the bottom of the class file):
 
 ```csharp
-public async Task<TwoFactorResult> TwoFactorRequestAsync(TwoFactorRequest twoFactorRequest)
+public async Task<TwoFactorResponse> TwoFactorRequestAsync(TwoFactorRequest twoFactorRequest)
 {
     string[] defaultDetail = 
         [ "An unknown error prevented two-factor authentication." ];
@@ -320,7 +320,7 @@ public async Task<TwoFactorResult> TwoFactorRequestAsync(TwoFactorRequest twoFac
     if (response.IsSuccessStatusCode)
     {
         return await response.Content
-            .ReadFromJsonAsync<TwoFactorResult>() ??
+            .ReadFromJsonAsync<TwoFactorResponse>() ??
             new()
             { 
                 ErrorList = [ "There was an error processing the request." ]
@@ -349,7 +349,7 @@ public async Task<TwoFactorResult> TwoFactorRequestAsync(TwoFactorRequest twoFac
     }
 
     // return the error list
-    return new TwoFactorResult
+    return new TwoFactorResponse
     {
         ErrorList = problemDetails == null ? defaultDetail : [.. errors]
     };
@@ -360,7 +360,7 @@ public async Task<TwoFactorResult> TwoFactorRequestAsync(TwoFactorRequest twoFac
 
 Replace the `Login` component. The following version of the `Login` component:
 
-* Accepts a user's email address (user ID) and password for an initial login attempt.
+* Accepts a user's email address and password for an initial login attempt.
 * If login is successful (2FA is disabled), the component notifies the user that they're authenticated.
 * If the login attempt results in a response indicating that 2FA is required, a 2FA input element appears to receive either a 2FA TOTP code from an authenticator app or a recovery code. Depending on which code the user enters, login is attempted again by calling either `LoginTwoFactorCodeAsync` for a TOTP code or `LoginTwoFactorRecoveryCodeAsync` for a recovery code.
 
@@ -441,7 +441,7 @@ Replace the `Login` component. The following version of the `Login` component:
                                     autocomplete="off" 
                                     placeholder="###### or #####-#####" />
                                 <label for="Input.TwoFactorCode" class="form-label">
-                                    2FA Authenticator Code or Recovery Code
+                                    Two-factor Code or Recovery Code
                                 </label>
                                 <ValidationMessage For="() => Input.TwoFactorCode" 
                                     class="text-danger" />
@@ -496,9 +496,9 @@ Replace the `Login` component. The following version of the `Login` component:
 
                     if (formResult.Succeeded)
                     {
-                        var twoFactorResult = await Acct.TwoFactorRequestAsync(new());
+                        var twoFactorResponse = await Acct.TwoFactorRequestAsync(new());
                         recoveryCodesRemainingMessage =
-                            $"You have {twoFactorResult.RecoveryCodesLeft} recovery " +
+                            $"You have {twoFactorResponse.RecoveryCodesLeft} recovery " +
                             "codes remaining.";
                     }
                 }
@@ -541,6 +541,20 @@ Replace the `Login` component. The following version of the `Login` component:
 }
 ```
 
+Using the preceding component, the user is remembered after a successful login with a valid TOTP code from an authenticator app. If you want to always require a TOTP code for login and not remember the machine, call the `TwoFactorRequestAsync` method with `TwoFactorRequest.ForgetMachine` set to `true` immediately after a successful two-factor login:
+
+```diff
+if (Input.TwoFactorCode.Length == 6)
+{
+    formResult = await Acct.LoginTwoFactorCodeAsync(Input.Email, Input.Password, Input.TwoFactorCode);
+
++    if (formResult.Succeeded)
++    {
++        var forgetMachine = await Acct.TwoFactorRequestAsync(new() { ForgetMachine = true });
++    }
+}
+```
+
 ## Add a component to display recovery codes
 
 Add the following `ShowRecoveryCodes` component to the app to display recovery codes to the user.
@@ -582,7 +596,7 @@ Add the following `Manage2fa` component to the app to manage 2FA for users.
 
 If 2FA isn't enabled, the component loads a form with a QR code to enable 2FA with a TOTP authenticator app. The user adds the app to their authenticator app and then verifies the authenticator app and enables 2FA by providing a TOTP code from the authenticator app.
 
-If 2FA is enabled, a button appears to disable 2FA.
+If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 
 `Components/Identity/Manage2fa.razor`:
 
@@ -608,118 +622,126 @@ If 2FA is enabled, a button appears to disable 2FA.
 <hr />
 <div class="row">
     <div class="col">
-        @if (twoFactorResult is not null)
+        @if (loading)
         {
-            @foreach (var error in twoFactorResult.ErrorList)
-            {
-                <div class="alert alert-danger">@error</div>
-            }
-            @if (twoFactorResult.IsTwoFactorEnabled)
+            <p>Loading ...</p>
+        }
+        else
+        {
+            @if (twoFactorResponse is not null)
             {
-                <div class="alert alert-success" role="alert">
-                    Two-factor authentication is enabled for your account.
-                </div>
-
-                <div class="m-1">
-                    <button @onclick="Disable2FA" class="btn btn-lg btn-primary">
-                        Disable 2FA
-                    </button>
-                </div>
-
-                @if (twoFactorResult.RecoveryCodes is null)
+                @foreach (var error in twoFactorResponse.ErrorList)
                 {
+                    <div class="alert alert-danger">@error</div>
+                }
+                @if (twoFactorResponse.IsTwoFactorEnabled)
+                {
+                    <div class="alert alert-success" role="alert">
+                        Two-factor authentication is enabled for your account.
+                    </div>
+
                     <div class="m-1">
-                        <button @onclick="GenerateNewCodes" 
-                                class="btn btn-lg btn-primary">
-                            Generate New Recovery Codes
+                        <button @onclick="Disable2FA" class="btn btn-lg btn-primary">
+                            Disable 2FA
                         </button>
                     </div>
+
+                    @if (twoFactorResponse.RecoveryCodes is null)
+                    {
+                        <div class="m-1">
+                            <button @onclick="GenerateNewCodes" 
+                                    class="btn btn-lg btn-primary">
+                                Generate New Recovery Codes
+                            </button>
+                        </div>
+                    }
+                    else
+                    {
+                        <ShowRecoveryCodes 
+                            RecoveryCodes="twoFactorResponse.RecoveryCodes" />
+                    }
                 }
                 else
                 {
-                    <ShowRecoveryCodes 
-                        RecoveryCodes="twoFactorResult.RecoveryCodes" />
-                }
-            }
-            else
-            {
-                <h3>Configure authenticator app</h3>
-                <div>
-                    <p>To use an authenticator app:</p>
-                    <ol class="list">
-                        <li>
-                            <p>
-                                Download a two-factor authenticator app, such 
-                                as either of the following:
-                                <ul>
-                                    <li>
-                                        Microsoft Authenticator for
-                                        <a href="https://go.microsoft.com/fwlink/?Linkid=825072">
-                                            Android
-                                        </a> and
-                                        <a href="https://go.microsoft.com/fwlink/?Linkid=825073">
-                                            iOS
-                                        </a>
-                                    </li>
-                                    <li>
-                                        Google Authenticator for
-                                        <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2">
-                                            Android
-                                        </a> and
-                                        <a href="https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8">
-                                            iOS
-                                        </a>
-                                    </li>
-                                </ul>
-                            </p>
-                        </li>
-                        <li>
-                            <p>
-                                Scan the QR Code or enter this key 
-                                <kbd>@twoFactorResult.SharedKey</kbd> into your 
-                                two factor authenticator app. Spaces and casing 
-                                don't matter.
-                            </p>
-                            <div @ref="qrCodeElement"></div>
-                        </li>
-                        <li>
-                            <p>
-                                Once you have scanned the QR code or input the 
-                                key above, your two factor authentication app 
-                                will provide you with a unique code. Enter the 
-                                code in the confirmation box below.
-                            </p>
-                            <div class="row">
-                                <div class="col-xl-6">
-                                    <EditForm Model="Input" 
-                                            FormName="send-code" 
-                                            OnValidSubmit="OnValidSubmitAsync" 
-                                            method="post">
-                                        <DataAnnotationsValidator />
-                                        <div class="form-floating mb-3">
-                                            <InputText 
-                                                @bind-Value="Input.Code" 
-                                                id="Input.Code" 
-                                                class="form-control" 
-                                                autocomplete="off" 
-                                                placeholder="Enter the code" />
-                                            <label for="Input.Code" 
-                                                    class="control-label form-label">
-                                                Verification Code
-                                            </label>
-                                            <ValidationMessage 
-                                                For="() => Input.Code" 
-                                                class="text-danger" />
-                                        </div>
-                                        <button type="submit" class="w-100 btn btn-lg btn-primary">
-                                            Verify
-                                        </button>
-                                    </EditForm>
+                    <h3>Configure authenticator app</h3>
+                    <div>
+                        <p>To use an authenticator app:</p>
+                        <ol class="list">
+                            <li>
+                                <p>
+                                    Download a two-factor authenticator app, such 
+                                    as either of the following:
+                                    <ul>
+                                        <li>
+                                            Microsoft Authenticator for
+                                            <a href="https://go.microsoft.com/fwlink/?Linkid=825072">
+                                                Android
+                                            </a> and
+                                            <a href="https://go.microsoft.com/fwlink/?Linkid=825073">
+                                                iOS
+                                            </a>
+                                        </li>
+                                        <li>
+                                            Google Authenticator for
+                                            <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2">
+                                                Android
+                                            </a> and
+                                            <a href="https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8">
+                                                iOS
+                                            </a>
+                                        </li>
+                                    </ul>
+                                </p>
+                            </li>
+                            <li>
+                                <p>
+                                    Scan the QR Code or enter this key 
+                                    <kbd>@twoFactorResponse.SharedKey</kbd> into your 
+                                    two-factor authenticator app. Spaces and casing 
+                                    don't matter.
+                                </p>
+                                <div @ref="qrCodeElement"></div>
+                            </li>
+                            <li>
+                                <p>
+                                    After you have scanned the QR code or input the 
+                                    key above, your two-factor authenticator app 
+                                    will provide you with a unique two-factor code. 
+                                    Enter the code in the confirmation box below.
+                                </p>
+                                <div class="row">
+                                    <div class="col-xl-6">
+                                        <EditForm Model="Input" 
+                                                FormName="send-code" 
+                                                OnValidSubmit="OnValidSubmitAsync" 
+                                                method="post">
+                                            <DataAnnotationsValidator />
+                                            <div class="form-floating mb-3">
+                                                <InputText 
+                                                    @bind-Value="Input.Code" 
+                                                    id="Input.Code" 
+                                                    class="form-control" 
+                                                    autocomplete="off" 
+                                                    placeholder="Enter the code" />
+                                                <label for="Input.Code" 
+                                                        class="control-label form-label">
+                                                    Verification Code
+                                                </label>
+                                                <ValidationMessage 
+                                                    For="() => Input.Code" 
+                                                    class="text-danger" />
+                                            </div>
+                                            <button type="submit" 
+                                                    class="w-100 btn btn-lg btn-primary">
+                                                Verify
+                                            </button>
+                                        </EditForm>
+                                    </div>
                                 </div>
-                            </div>
-                        </li>
-                    </ol>
-                </div>
+                            </li>
+                        </ol>
+                    </div>
+                }
             }
         }
     </div>
@@ -727,8 +749,9 @@ If 2FA is enabled, a button appears to disable 2FA.
 
 @code {
     private IJSObjectReference? module;
-    private TwoFactorResult twoFactorResult = new();
+    private TwoFactorResponse twoFactorResponse = new();
     private ElementReference qrCodeElement;
+    private bool loading = true;
 
     [SupplyParameterFromForm]
     private InputModel Input { get; set; } = new();
@@ -738,7 +761,8 @@ If 2FA is enabled, a button appears to disable 2FA.
 
     protected override async Task OnInitializedAsync()
     {
-        twoFactorResult = await Acct.TwoFactorRequestAsync(new());
+        twoFactorResponse = await Acct.TwoFactorRequestAsync(new());
+        loading = false;
     }
 
     protected override async Task OnAfterRenderAsync(bool firstRender)
@@ -750,7 +774,7 @@ If 2FA is enabled, a button appears to disable 2FA.
         }
 
         if (authenticationState is not null &&
-            !string.IsNullOrEmpty(twoFactorResult?.SharedKey) &&
+            !string.IsNullOrEmpty(twoFactorResponse?.SharedKey) &&
             module is not null)
         {
             var authState = await authenticationState;
@@ -761,7 +785,7 @@ If 2FA is enabled, a button appears to disable 2FA.
                 "otpauth://totp/{0}:{1}?secret={2}&issuer={0}&digits=6",
                 UrlEncoder.Default.Encode(Config["TotpOrganizationName"]!),
                 email,
-                twoFactorResult.SharedKey);
+                twoFactorResponse.SharedKey);
 
             await module.InvokeVoidAsync("setQrCode", qrCodeElement, uri);
         }
@@ -769,19 +793,19 @@ If 2FA is enabled, a button appears to disable 2FA.
 
     private async Task Disable2FA()
     {
-        twoFactorResult = 
+        twoFactorResponse = 
             await Acct.TwoFactorRequestAsync(new() { ResetSharedKey = true });
     }
 
     private async Task GenerateNewCodes()
     {
-        twoFactorResult = 
+        twoFactorResponse = 
             await Acct.TwoFactorRequestAsync(new() { ResetRecoveryCodes = true });
     }
 
     private async Task OnValidSubmitAsync()
     {
-        twoFactorResult = await Acct.TwoFactorRequestAsync(
+        twoFactorResponse = await Acct.TwoFactorRequestAsync(
             new() 
             { 
                 Enable = true, 
@@ -810,13 +834,15 @@ If 2FA is enabled, a button appears to disable 2FA.
 }
 ```
 
-Add the following [collocated JavaScript file](xref:blazor/js-interop/javascript-location#load-a-script-from-an-external-javascript-file-js-collocated-with-a-component) to the project. The `setQrCode` function uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) to create a QR code from the URI string if the `qrCode` element is rendered by the `Manage2fa` component. To customize features of the generated QR code, see the library maintainer's documentation at their GitHub repository.
+Add the following [collocated JavaScript file](xref:blazor/js-interop/javascript-location#load-a-script-from-an-external-javascript-file-js-collocated-with-a-component) to the project. The `setQrCode` function uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) to create a QR code from the URI string if the `qrCode` element is rendered by the `Manage2fa` component. To customize features of the generated QR code, see the `nimiq/qr-creator` documentation at their GitHub repository.
 
 `Components/Identity/Manage2fa.razor.js`:
 
 ```javascript
 export function setQrCode(qrCodeElement, uri) {
-  if (qrCodeElement !== null && !qrCodeElement.innerHTML.trim()) {
+  if (qrCodeElement !== null &&
+      qrCodeElement.innerHTML !== undefined &&
+      !qrCodeElement.innerHTML.trim()) {
     QrCreator.render({
       text: uri,
       radius: 0,
@@ -855,5 +881,5 @@ In the `<Authorized>` content of the `<AuthorizeView>` in `Components/Layout/Nav
 
 ## Additional resources
 
-* [Mandrill.net (GitHub repository)](https://github.com/feinoujc/Mandrill.net)
-* [Mailchimp developer: Transactional API](https://mailchimp.com/developer/transactional/docs/fundamentals/)
+* [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator)
+* <xref:Microsoft.AspNetCore.Routing.IdentityApiEndpointRouteBuilderExtensions.MapIdentityApi%2A>

From 5a80e7e61ae8a539c77260afd88e8a66670331c3 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Tue, 3 Dec 2024 12:13:17 -0500
Subject: [PATCH 13/25] Updates

---
 .../security/qrcodes-for-authenticator-apps.md    | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
index f6f791a85d3e..e6bdb7051587 100644
--- a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
@@ -15,22 +15,11 @@ This article explains how to configure an ASP.NET Core Blazor Web App for two-fa
 
 For an introduction to 2FA with TOTP authenticator apps, see <xref:security/authentication/identity-enable-qrcodes>.
 
+The guidance in this article relies upon either creating the app with **Individual Accounts** for the new app's **Authentication type** or [scaffolding Identity into an existing app](xref:security/authentication/scaffold-identity#scaffold-identity-into-a-blazor-project). For guidance on using the .NET CLI instead of Visual Studio for scaffolding Identity into an existing app, see <xref:fundamentals/tools/dotnet-aspnet-codegenerator>.
+
 > [!WARNING]
 > TOTP codes should be kept secret because they can be used to authenticate multiple times before they expire.
 
-## Scaffold the Enable Authenticator component into the app
-
-Follow the guidance in <xref:security/authentication/scaffold-identity#scaffold-identity-into-a-blazor-project> to scaffold `Pages\Manage\EnableAuthenticator` into the app.
-
-<!-- UPDATE 9.0 Update NOTE per followup on the issue -->
-
-> [!NOTE]
-> Although only the `EnableAuthenticator` component is selected for scaffolding in this example, scaffolding currently adds all of the Identity components to the app. Additionally, exceptions may be thrown during the process of scaffolding into the app. If exceptions occur when database migrations occur, stop the app and restart the app on each exception. For more information, see [Scaffolding exceptions for Blazor Web App (`dotnet/Scaffolding` #2694)](https://github.com/dotnet/Scaffolding/issues/2694).
-
-Be patient while migrations are executed. Depending on the speed of the system, it can take up to a minute or two for database migrations to finish.
-
-For more information, see <xref:security/authentication/scaffold-identity>. For guidance on using the .NET CLI instead of Visual Studio, see <xref:fundamentals/tools/dotnet-aspnet-codegenerator>.
-
 ## Adding QR codes to the 2FA configuration page
 
 A QR code generated by the app to set up 2FA with an TOTP authenticator app must be generated by a QR code library.

From e3d87d37aa73aaa311a253a8a172f0aa65ab513e Mon Sep 17 00:00:00 2001
From: Luke Latham <1622880+guardrex@users.noreply.github.com>
Date: Tue, 3 Dec 2024 19:52:40 -0500
Subject: [PATCH 14/25] Apply suggestions from code review

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
---
 aspnetcore/blazor/fundamentals/index.md                         | 2 +-
 .../standalone-with-identity/qrcodes-for-authenticator-apps.md  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aspnetcore/blazor/fundamentals/index.md b/aspnetcore/blazor/fundamentals/index.md
index 163b62cf2ca3..7fe074617b1f 100644
--- a/aspnetcore/blazor/fundamentals/index.md
+++ b/aspnetcore/blazor/fundamentals/index.md
@@ -69,7 +69,7 @@ Blazor documentation adopts several conventions for showing and discussing compo
 * [Component parameter](xref:blazor/components/index#component-parameters) values lead with a [Razor reserved `@` symbol](xref:mvc/views/razor#razor-syntax), but it isn't required. Literals (for example, boolean values), keywords (for example, `this`), and `null` as component parameter values aren't prefixed with `@`, but this is also merely a documentation convention. Your own code can prefix literals with `@` if you wish.
 * C# classes use the [`this` keyword](/dotnet/csharp/language-reference/keywords/this) and avoid prefixing fields with an underscore (`_`) that are assigned to in constructors, which differs from the [ASP.NET Core framework engineering guidelines](https://github.com/dotnet/aspnetcore/wiki/Engineering-guidelines).
 * In examples that use [primary constructors (C# 12 or later)](/dotnet/csharp/whats-new/tutorials/primary-constructors), primary constructor parameters are typically used directly by class members.
-* In article code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks, but you're welcome to condense the code in your own apps by removing the artificial line breaks after you paste the code into a project.
+In article examples, code lines are split to reduce horizontal scrolling. These breaks don't affect execution but can be removed when pasting into your project.
 
 Additional information on Razor component syntax is provided in the *Razor syntax* section of <xref:blazor/components/index#razor-syntax>.
 
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index a7ff5e3f3881..a8a48ded26b8 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -31,7 +31,7 @@ If you aren't using the `BlazorWebAssemblyStandaloneWithIdentity` sample, change
 
 All of the changes to the solution covered by this article take place in the `BlazorWasmAuth` project of the `BlazorWebAssemblyStandaloneWithIdentity` solution.
 
-In this article's code examples, the code lines are artificially broken across two or more lines to eliminate or reduce horizontal scrolling of the article's code blocks. The code executes regardless of these artificial line breaks, but you're welcome to condense the code by removing the artificial line breaks after you paste the code into the project.
+In article examples, code lines are split to reduce horizontal scrolling. These breaks don't affect execution but can be removed when pasting into your project.
 
 ## Optional account confirmation and password recovery
 

From 22f2568f7d8bc803baab74cf51b3d2e211da09c6 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 4 Dec 2024 10:26:14 -0500
Subject: [PATCH 15/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         | 101 +++++++-----------
 .../qrcodes-for-authenticator-apps.md         |  65 ++++-------
 2 files changed, 57 insertions(+), 109 deletions(-)

diff --git a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
index e6bdb7051587..6726d5e3d6cf 100644
--- a/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/qrcodes-for-authenticator-apps.md
@@ -24,92 +24,49 @@ The guidance in this article relies upon either creating the app with **Individu
 
 A QR code generated by the app to set up 2FA with an TOTP authenticator app must be generated by a QR code library.
 
-The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator), but you can use any QR code generation library.
+The guidance in this article uses [`manuelbl/QrCodeGenerator`](https://github.com/manuelbl/QrCodeGenerator), but you can use any QR code generation library.
 
-Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the solution's server project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer (see the [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) GitHub repository for details).
+Add a package reference for the [`Net.Codecrete.QrCodeGenerator`](https://www.nuget.org/packages/Net.Codecrete.QrCodeGenerator) NuGet package.
 
-In the `App` component (`Components/App.razor`), place a library script reference after [Blazor's `<script>` tag](xref:blazor/project-structure#location-of-the-blazor-script):
+[!INCLUDE[](~/includes/package-reference.md)]
 
-```html
-<script src="qr-creator.min.js"></script>
-```
-
-The `EnableAuthenticator` component, which is part of the QR code system in the app and displays the QR code to users, adopts static server-side rendering (static SSR) with enhanced navigation. Therefore, normal scripts can't execute when the component loads or updates under enhanced navigation. Extra steps are required to trigger the QR code to load in the UI when the page is loaded. To accomplish loading the QR code, the approach explained in <xref:blazor/js-interop/ssr> is adopted.
-
-Add the following [JavaScript initializer](xref:blazor/fundamentals/startup#javascript-initializers) to the server project's `wwwroot` folder. The `{NAME}` placeholder must be the name of the app's assembly in order for Blazor to locate and load the file automatically. If the server app's assembly name is `BlazorSample`, the file is named `BlazorSample.lib.module.js`.
-
-`wwwroot/{NAME}.lib.module.js`:
-
-[!INCLUDE[](~/blazor/includes/js-interop/blazor-page-script.md)]
-
-Add the following shared `PageScript` component to the server app.
-
-`Components/PageScript.razor`:
+Open the `EnableAuthenticator` component in the `Components/Account/Pages/Manage` folder. At the top of the file under the `@page` directive, add an `@using` directive for the QrCodeGenerator namespace:
 
 ```razor
-<page-script src="@Src"></page-script>
-
-@code {
-    [Parameter]
-    [EditorRequired]
-    public string Src { get; set; } = default!;
-}
+@using Net.Codecrete.QrCodeGenerator
 ```
 
-Add the following [collocated JS file](xref:blazor/js-interop/javascript-location#load-a-script-from-an-external-javascript-file-js-collocated-with-a-component) for the `EnableAuthenticator` component, which is located at `Components/Account/Pages/Manage/EnableAuthenticator.razor`. The `onLoad` function creates the QR code with Sangmin's `qrcode.js` library using the QR code URI produced by the `GenerateQrCodeUri` method in the component's `@code` block.
-
-`Components/Account/Pages/Manage/EnableAuthenticator.razor.js`:
-
-```javascript
-export function onLoad() {
-  const uri = document.getElementById('qrCodeData').getAttribute('data-url');
-  QrCreator.render({
-    text: uri,
-    radius: 0,
-    ecLevel: 'H',
-    fill: '#000000',
-    background: null,
-    size: 190
-  }, document.querySelector('#qrCode'));
-}
-```
-
-Under the `<PageTitle>` component in the `EnableAuthenticator` component, add the `PageScript` component with the path to the collocated JS file:
-
-```razor
-<PageScript Src="./Components/Account/Pages/Manage/EnableAuthenticator.razor.js" />
-```
-
-> [!NOTE]
-> An alternative to using the approach with the `PageScript` component is to use an event listener (`blazor.addEventListener("enhancedload", {CALLBACK})`) registered in an [`afterWebStarted` JS initializer](xref:blazor/fundamentals/startup#javascript-initializers) to listen for page updates caused by enhanced navigation. The callback (`{CALLBACK}` placeholder) performs the QR code initialization logic.
->
-> Using the callback approach with `enhancedload`, the code executes for every enhanced navigation, even when the QR code `<div>` isn't rendered. Therefore, additional code must be added to check for the presence of the `<div>` before executing the code that adds a QR code.
-
-
-Delete the `<div>` element that contains the QR code instructions:
+Delete the `<div>` element that contains the QR code instructions and the two `<div>` elements where the QR code should appear and where the QR code data is stored in the page:
 
 ```diff
 - <div class="alert alert-info">
 -     Learn how to <a href="https://go.microsoft.com/fwlink/?Linkid=852423">enable 
 -     QR code generation</a>.
 - </div>
+- <div></div>
+- <div data-url="@authenticatorUri"></div>
 ```
 
-Locate the two `<div>` elements where the QR code should appear and where the QR code data is stored in the page.
+Replace the deleted elements with the following markup:
 
-Make the following changes:
+```razor
+<div>
+    <svg xmlns="http://www.w3.org/2000/svg" height="300" width="300" stroke="none" 
+            version="1.1" viewBox="0 0 50 50">
+        <rect width="300" height="300" fill="#ffffff" />
+        <path d="@svgGraphicsPath" fill="#000000" />
+    </svg>
+</div>
+```
 
-* For the empty `<div>`, give the element an `id` of `qrCode`.
-* For the `<div>` with the `data-url` attribute, give the element an `id` of `qrCodeData`.
+Just inside the opening `@code` block, change the variable declaration for `authenticatorUri` to `svgGraphicsPath`:
 
 ```diff
-- <div></div>
-- <div data-url="@authenticatorUri"></div>
-+ <div id="qrCode"></div>
-+ <div id="qrCodeData" data-url="@authenticatorUri"></div>
+- private string? authenticatorUri;
++ private string? svgGraphicsPath;
 ```
 
-Change the site name in the `GenerateQrCodeUri` method of the `EnableAuthenticator` component. The default value is `Microsoft.AspNetCore.Identity.UI`. Change the value to a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
+Change the site name in the `GenerateQrCodeUri` method. The default value is `Microsoft.AspNetCore.Identity.UI`. Change the value to a meaningful site name that users can identify easily in their authenticator app. Developers usually set a site name that matches the company's name. We recommend limiting the site name length to 30 characters or less to allow the site name to display on narrow mobile device screens.
 
 In the following example, the default value `Microsoft.AspNetCore.Identity.UI` is changed to the company name `Weyland-Yutani Corporation` (&copy;1986 20th Century Studios [*Aliens*](https://www.20thcenturystudios.com/movies/aliens)).
 
@@ -120,6 +77,20 @@ In the `GenerateQrCodeUri` method:
 + UrlEncoder.Encode("Weyland-Yutani Corporation"),
 ```
 
+At the bottom of the `LoadSharedKeyAndQrCodeUriAsync` method, add the [`var` keyword](/dotnet/csharp/programming-guide/classes-and-structs/implicitly-typed-local-variables) to the line that sets `authenticatorUri`, making it an implicitly-typed local variable:
+
+```diff
+- authenticatorUri = GenerateQrCodeUri(email!, unformattedKey!);
++ var authenticatorUri = GenerateQrCodeUri(email!, unformattedKey!);
+```
+
+Add the following lines of code at the bottom of the `LoadSharedKeyAndQrCodeUriAsync` method:
+
+```csharp
+var qr = QrCode.EncodeText(authenticatorUri, QrCode.Ecc.Medium);
+svgGraphicsPath = qr.ToGraphicsPath();
+```
+
 Run the app and ensure that the QR code is scannable and that the code validates.
 
 > [!WARNING]
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index a8a48ded26b8..a267db64bd0a 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -41,15 +41,11 @@ Although apps that implement 2FA usually adopt account confirmation and password
 
 A QR code generated by the app to set up 2FA with an TOTP authenticator app must be generated by a QR code library.
 
-The guidance in this article uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator), but you can use any QR code generation library.
+The guidance in this article uses [`manuelbl/QrCodeGenerator`](https://github.com/manuelbl/QrCodeGenerator), but you can use any QR code generation library.
 
-Download the [`qr-creator.min.js`](https://cdn.jsdelivr.net/npm/qr-creator/dist/qr-creator.min.js) library to the `wwwroot` folder of the client project. The library has no dependencies. If you intend to use the library to generate other QR codes elsewhere in the app for your own purposes, there's also a module version of the library available from the maintainer (see the [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) GitHub repository for details).
+Add a package reference to the client project for the [`Net.Codecrete.QrCodeGenerator`](https://www.nuget.org/packages/Net.Codecrete.QrCodeGenerator) NuGet package.
 
-In the client project's `wwwroot/index.html` file, add the following `<script>` tag immediately after [Blazor's `<script>` tag](xref:blazor/project-structure#location-of-the-blazor-script):
-
-```html
-<script src="qr-creator.min.js"></script>
-```
+[!INCLUDE[](~/includes/package-reference.md)]
 
 ## Set the TOTP organization name
 
@@ -606,6 +602,7 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 @using System.Globalization
 @using System.Text
 @using System.Text.Encodings.Web
+@using Net.Codecrete.QrCodeGenerator
 @using BlazorWasmAuth.Identity
 @using BlazorWasmAuth.Identity.Models
 @attribute [Authorize]
@@ -613,7 +610,6 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 @inject IAccountManagement Acct
 @inject IAuthorizationService AuthorizationService
 @inject IConfiguration Config
-@inject IJSRuntime JS
 @inject ILogger<Manage2fa> Logger
 
 <PageTitle>Manage 2FA</PageTitle>
@@ -700,7 +696,14 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
                                     two-factor authenticator app. Spaces and casing 
                                     don't matter.
                                 </p>
-                                <div @ref="qrCodeElement"></div>
+                                <div>
+                                    <svg xmlns="http://www.w3.org/2000/svg" height="300" 
+                                            width="300" stroke="none" version="1.1" 
+                                            viewBox="0 0 50 50">
+                                        <rect width="300" height="300" fill="#ffffff" />
+                                        <path d="@svgGraphicsPath" fill="#000000" />
+                                    </svg>
+                                </div>
                             </li>
                             <li>
                                 <p>
@@ -748,10 +751,9 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 </div>
 
 @code {
-    private IJSObjectReference? module;
     private TwoFactorResponse twoFactorResponse = new();
-    private ElementReference qrCodeElement;
     private bool loading = true;
+    private string? svgGraphicsPath;
 
     [SupplyParameterFromForm]
     private InputModel Input { get; set; } = new();
@@ -762,39 +764,35 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
     protected override async Task OnInitializedAsync()
     {
         twoFactorResponse = await Acct.TwoFactorRequestAsync(new());
+        svgGraphicsPath = await GetQrCode(twoFactorResponse.SharedKey);
         loading = false;
     }
 
-    protected override async Task OnAfterRenderAsync(bool firstRender)
+    private async Task<string> GetQrCode(string sharedKey)
     {
-        if (firstRender)
-        {
-            module = await JS.InvokeAsync<IJSObjectReference>("import",
-                "./Components/Identity/Manage2fa.razor.js");
-        }
-
-        if (authenticationState is not null &&
-            !string.IsNullOrEmpty(twoFactorResponse?.SharedKey) &&
-            module is not null)
+        if (authenticationState is not null && !string.IsNullOrEmpty(sharedKey))
         {
             var authState = await authenticationState;
             var email = authState?.User?.Identity?.Name!;
-
             var uri = string.Format(
                 CultureInfo.InvariantCulture,
                 "otpauth://totp/{0}:{1}?secret={2}&issuer={0}&digits=6",
                 UrlEncoder.Default.Encode(Config["TotpOrganizationName"]!),
                 email,
                 twoFactorResponse.SharedKey);
+            var qr = QrCode.EncodeText(uri, QrCode.Ecc.Medium);
 
-            await module.InvokeVoidAsync("setQrCode", qrCodeElement, uri);
+            return qr.ToGraphicsPath();
         }
+
+        return string.Empty;
     }
 
     private async Task Disable2FA()
     {
         twoFactorResponse = 
             await Acct.TwoFactorRequestAsync(new() { ResetSharedKey = true });
+        svgGraphicsPath = await GetQrCode(twoFactorResponse.SharedKey);
     }
 
     private async Task GenerateNewCodes()
@@ -834,27 +832,6 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 }
 ```
 
-Add the following [collocated JavaScript file](xref:blazor/js-interop/javascript-location#load-a-script-from-an-external-javascript-file-js-collocated-with-a-component) to the project. The `setQrCode` function uses [`nimiq/qr-creator`](https://github.com/nimiq/qr-creator) to create a QR code from the URI string if the `qrCode` element is rendered by the `Manage2fa` component. To customize features of the generated QR code, see the `nimiq/qr-creator` documentation at their GitHub repository.
-
-`Components/Identity/Manage2fa.razor.js`:
-
-```javascript
-export function setQrCode(qrCodeElement, uri) {
-  if (qrCodeElement !== null &&
-      qrCodeElement.innerHTML !== undefined &&
-      !qrCodeElement.innerHTML.trim()) {
-    QrCreator.render({
-      text: uri,
-      radius: 0,
-      ecLevel: 'H',
-      fill: '#000000',
-      background: null,
-      size: 190
-    }, qrCodeElement);
-  }
-}
-```
-
 ## Link to the the Manage 2FA page
 
 Add a link to the navigation menu for users to reach the `Manage2fa` component page.

From c1e2bd8c2c20291e3a3651a1adb44d6a67e3b548 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 4 Dec 2024 10:28:21 -0500
Subject: [PATCH 16/25] Updates

---
 .../qrcodes-for-authenticator-apps.md                    | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index a267db64bd0a..1ce2e999b86f 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -606,7 +606,6 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 @using BlazorWasmAuth.Identity
 @using BlazorWasmAuth.Identity.Models
 @attribute [Authorize]
-@implements IAsyncDisposable
 @inject IAccountManagement Acct
 @inject IAuthorizationService AuthorizationService
 @inject IConfiguration Config
@@ -821,14 +820,6 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
         [Display(Name = "Verification Code")]
         public string Code { get; set; } = string.Empty;
     }
-
-    async ValueTask IAsyncDisposable.DisposeAsync()
-    {
-        if (module is not null)
-        {
-            await module.DisposeAsync();
-        }
-    }
 }
 ```
 

From d716300f021605322e0e0adc2a9f3851035d1091 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 4 Dec 2024 11:02:01 -0500
Subject: [PATCH 17/25] Updates

---
 aspnetcore/security/authentication/identity-enable-qrcodes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/security/authentication/identity-enable-qrcodes.md b/aspnetcore/security/authentication/identity-enable-qrcodes.md
index 754222afd22c..fb9bd7b19282 100644
--- a/aspnetcore/security/authentication/identity-enable-qrcodes.md
+++ b/aspnetcore/security/authentication/identity-enable-qrcodes.md
@@ -17,7 +17,7 @@ ASP.NET Core ships with support for authenticator applications for individual au
 
 :::moniker range=">= aspnetcore-8.0"
 
-The ASP.NET Core web app templates support authenticators but don't provide support for QR code generation. QR code generators ease the setup of 2FA. This document provides guidance for Razor Pages and MVC apps on how to add [QR code](https://wikipedia.org/wiki/QR_code) generation to the 2FA configuration page. For guidance that applies to Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>.
+The ASP.NET Core web app templates support authenticators but don't provide support for QR code generation. QR code generators ease the setup of 2FA. This document provides guidance for Razor Pages and MVC apps on how to add [QR code](https://wikipedia.org/wiki/QR_code) generation to the 2FA configuration page. For guidance that applies to Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>. For guidance that applies to Blazor WebAssembly apps, see <xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery>.
 
 :::moniker-end
 

From 6060ce86b6c0b499d455139c416ee8cb51d60dd5 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 4 Dec 2024 11:08:51 -0500
Subject: [PATCH 18/25] Updates

---
 aspnetcore/security/authentication/identity-enable-qrcodes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/security/authentication/identity-enable-qrcodes.md b/aspnetcore/security/authentication/identity-enable-qrcodes.md
index fb9bd7b19282..1fa8a0abbb96 100644
--- a/aspnetcore/security/authentication/identity-enable-qrcodes.md
+++ b/aspnetcore/security/authentication/identity-enable-qrcodes.md
@@ -17,7 +17,7 @@ ASP.NET Core ships with support for authenticator applications for individual au
 
 :::moniker range=">= aspnetcore-8.0"
 
-The ASP.NET Core web app templates support authenticators but don't provide support for QR code generation. QR code generators ease the setup of 2FA. This document provides guidance for Razor Pages and MVC apps on how to add [QR code](https://wikipedia.org/wiki/QR_code) generation to the 2FA configuration page. For guidance that applies to Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>. For guidance that applies to Blazor WebAssembly apps, see <xref:blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery>.
+The ASP.NET Core web app templates support authenticators but don't provide support for QR code generation. QR code generators ease the setup of 2FA. This document provides guidance for Razor Pages and MVC apps on how to add [QR code](https://wikipedia.org/wiki/QR_code) generation to the 2FA configuration page. For guidance that applies to Blazor Web Apps, see <xref:blazor/security/qrcodes-for-authenticator-apps>. For guidance that applies to Blazor WebAssembly apps, see <xref:blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps>.
 
 :::moniker-end
 

From c128164f8cdc366c10962802b24a64581b54f215 Mon Sep 17 00:00:00 2001
From: Luke Latham <1622880+guardrex@users.noreply.github.com>
Date: Wed, 4 Dec 2024 16:23:12 -0500
Subject: [PATCH 19/25] Apply suggestions from code review

Co-authored-by: Stephen Halter <halter73@gmail.com>
---
 .../account-confirmation-and-password-recovery.md    |  2 +-
 .../qrcodes-for-authenticator-apps.md                | 12 ++++++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
index 02c9e7e6eb53..89cfface86ce 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/account-confirmation-and-password-recovery.md
@@ -362,7 +362,7 @@ In the client project, add the following `ForgotPassword` component.
                     Obtain the code from the email for this form.
                 </div>
                 <EditForm Model="Reset" FormName="reset-password" 
-                          OnValidSubmit="OnValidSubmitStep2Async" method="post">
+                    OnValidSubmit="OnValidSubmitStep2Async" method="post">
                     <DataAnnotationsValidator />
                     <ValidationSummary class="text-danger" role="alert" />
 
diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 1ce2e999b86f..b9225f0a74a2 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -480,6 +480,8 @@ Replace the `Login` component. The following version of the `Login` component:
         {
             if (!string.IsNullOrEmpty(Input.TwoFactorCode))
             {
+                // The [RegularExpression] data annotation ensures that the input will be either a six-digit
+                // authenticator code (######) or eleven-character alphanumeric recovery code (#####-#####)
                 if (Input.TwoFactorCode.Length == 6)
                 {
                     formResult = await Acct.LoginTwoFactorCodeAsync(
@@ -505,7 +507,10 @@ Replace the `Login` component. The following version of the `Login` component:
             formResult = await Acct.LoginAsync(Input.Email, Input.Password);
             requiresTwoFactor = formResult.ErrorList.Contains("RequiresTwoFactor");
             Input.TwoFactorCode = string.Empty;
-            formResult.ErrorList = [];
+            if (requiresTwoFactor)
+            {
+                formResult.ErrorList = [];
+            }
         }
 
         if (formResult.Succeeded && !string.IsNullOrEmpty(ReturnUrl))
@@ -526,13 +531,12 @@ Replace the `Login` component. The following version of the `Login` component:
         [Display(Name = "Password")]
         public string Password { get; set; } = string.Empty;
 
-        [Required]
         [RegularExpression(@"^([0-9]{6})|([A-Z0-9]{5}[-]{1}[A-Z0-9]{5})$", 
             ErrorMessage = "Must be a six-digit authenticator code (######) or " +
             "eleven-character alphanumeric recovery code (#####-#####, dash " +
             "required)")]
-        [Display(Name = "Two-factor code")]
-        public string TwoFactorCode { get; set; } = "123456";
+        [Display(Name = "Two-factor Code or Recovery Code")]
+        public string TwoFactorOrRecoveryCode { get; set; } = string.Empty;
     }
 }
 ```

From 5025c32910eed9bdd772502beb077ce805e3acae Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 4 Dec 2024 16:29:23 -0500
Subject: [PATCH 20/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         | 45 ++++++++++++-------
 1 file changed, 30 insertions(+), 15 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index b9225f0a74a2..e923515e512c 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -431,15 +431,15 @@ Replace the `Login` component. The following version of the `Login` component:
                         </div>
                         <div style="display:@(requiresTwoFactor ? "block" : "none")">
                             <div class="form-floating mb-3">
-                                <InputText @bind-Value="Input.TwoFactorCode" 
-                                    id="Input.TwoFactorCode" 
+                                <InputText @bind-Value="Input.TwoFactorCodeOrRecoveryCode" 
+                                    id="Input.TwoFactorCodeOrRecoveryCode" 
                                     class="form-control" 
                                     autocomplete="off" 
                                     placeholder="###### or #####-#####" />
-                                <label for="Input.TwoFactorCode" class="form-label">
+                                <label for="Input.TwoFactorCodeOrRecoveryCode" class="form-label">
                                     Two-factor Code or Recovery Code
                                 </label>
-                                <ValidationMessage For="() => Input.TwoFactorCode" 
+                                <ValidationMessage For="() => Input.TwoFactorCodeOrRecoveryCode" 
                                     class="text-danger" />
                             </div>
                         </div>
@@ -478,19 +478,22 @@ Replace the `Login` component. The following version of the `Login` component:
     {
         if (requiresTwoFactor)
         {
-            if (!string.IsNullOrEmpty(Input.TwoFactorCode))
+            if (!string.IsNullOrEmpty(Input.TwoFactorCodeOrRecoveryCode))
             {
-                // The [RegularExpression] data annotation ensures that the input will be either a six-digit
-                // authenticator code (######) or eleven-character alphanumeric recovery code (#####-#####)
-                if (Input.TwoFactorCode.Length == 6)
+                // The [RegularExpression] data annotation ensures that the input 
+                // is either a six-digit authenticator code (######) or an 
+                // eleven-character alphanumeric recovery code (#####-#####)
+                if (Input.TwoFactorCodeOrRecoveryCode.Length == 6)
                 {
                     formResult = await Acct.LoginTwoFactorCodeAsync(
-                        Input.Email, Input.Password, Input.TwoFactorCode);
+                        Input.Email, Input.Password, 
+                        Input.TwoFactorCodeOrRecoveryCode);
                 }
                 else
                 {
                     formResult = await Acct.LoginTwoFactorRecoveryCodeAsync(
-                        Input.Email, Input.Password, Input.TwoFactorCode);
+                        Input.Email, Input.Password, 
+                        Input.TwoFactorCodeOrRecoveryCode);
 
                     if (formResult.Succeeded)
                     {
@@ -501,12 +504,22 @@ Replace the `Login` component. The following version of the `Login` component:
                     }
                 }
             }
+            else
+            {
+                formResult = 
+                    new FormResult
+                    {
+                        Succeeded = false,
+                        ErrorList = [ "Invalid two-factor code." ]
+                    };
+            }
         }
         else
         {
             formResult = await Acct.LoginAsync(Input.Email, Input.Password);
             requiresTwoFactor = formResult.ErrorList.Contains("RequiresTwoFactor");
-            Input.TwoFactorCode = string.Empty;
+            Input.TwoFactorCodeOrRecoveryCode = string.Empty;
+
             if (requiresTwoFactor)
             {
                 formResult.ErrorList = [];
@@ -536,7 +549,7 @@ Replace the `Login` component. The following version of the `Login` component:
             "eleven-character alphanumeric recovery code (#####-#####, dash " +
             "required)")]
         [Display(Name = "Two-factor Code or Recovery Code")]
-        public string TwoFactorOrRecoveryCode { get; set; } = string.Empty;
+        public string TwoFactorCodeOrRecoveryCode { get; set; } = string.Empty;
     }
 }
 ```
@@ -544,13 +557,15 @@ Replace the `Login` component. The following version of the `Login` component:
 Using the preceding component, the user is remembered after a successful login with a valid TOTP code from an authenticator app. If you want to always require a TOTP code for login and not remember the machine, call the `TwoFactorRequestAsync` method with `TwoFactorRequest.ForgetMachine` set to `true` immediately after a successful two-factor login:
 
 ```diff
-if (Input.TwoFactorCode.Length == 6)
+if (Input.TwoFactorCodeOrRecoveryCode.Length == 6)
 {
-    formResult = await Acct.LoginTwoFactorCodeAsync(Input.Email, Input.Password, Input.TwoFactorCode);
+    formResult = await Acct.LoginTwoFactorCodeAsync(Input.Email, Input.Password, 
+        Input.TwoFactorCodeOrRecoveryCode);
 
 +    if (formResult.Succeeded)
 +    {
-+        var forgetMachine = await Acct.TwoFactorRequestAsync(new() { ForgetMachine = true });
++        var forgetMachine = 
++            await Acct.TwoFactorRequestAsync(new() { ForgetMachine = true });
 +    }
 }
 ```

From e57702cb44b9bdaf57ff360b5573f58d0b9f11e1 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Wed, 4 Dec 2024 16:40:08 -0500
Subject: [PATCH 21/25] Updates

---
 .../standalone-with-identity/qrcodes-for-authenticator-apps.md   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index e923515e512c..d44acde4af9c 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -808,6 +808,7 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 
     private async Task Disable2FA()
     {
+        await Acct.TwoFactorRequestAsync(new() { ForgetMachine = true });
         twoFactorResponse = 
             await Acct.TwoFactorRequestAsync(new() { ResetSharedKey = true });
         svgGraphicsPath = await GetQrCode(twoFactorResponse.SharedKey);

From 17be3fb0599726268f31bf6ddaecfdd987504f0a Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Thu, 5 Dec 2024 15:49:22 -0500
Subject: [PATCH 22/25] Updates

---
 .../qrcodes-for-authenticator-apps.md                | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index d44acde4af9c..4ab062eb84f9 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -829,6 +829,18 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
                 TwoFactorCode = Input.Code 
             });
         Input.Code = string.Empty;
+
+        // When 2FA is first enabled, recovery codes are returned.
+        // However, subsequently disabling and re-enabling 2FA
+        // leaves the existing codes in place and doesn't generate
+        // a new set of recovery codes. The following code ensures
+        // that a new set of recovery codes is generated each
+        // time 2FA is enabled.
+        if (twoFactorResponse.RecoveryCodes is null || 
+            twoFactorResponse.RecoveryCodes.Length == 0)
+        {
+            await GenerateNewCodes();
+        }
     }
 
     private sealed class InputModel

From 0be9c72b671a91257174055c067ba5965d5294a6 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Thu, 5 Dec 2024 16:13:54 -0500
Subject: [PATCH 23/25] Updates

---
 .../qrcodes-for-authenticator-apps.md         | 29 ++++++++++---------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 4ab062eb84f9..07d390437e72 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -213,7 +213,10 @@ public async Task<FormResult> LoginAsync(string email, string password)
             }
         }
     }
-    catch { }
+    catch (Exception ex)
+    {
+        logger.LogError(ex, "App error");
+    }
 
     return new FormResult
     {
@@ -248,7 +251,10 @@ public async Task<FormResult> LoginTwoFactorCodeAsync(
             return new FormResult { Succeeded = true };
         }
     }
-    catch { }
+    catch (Exception ex)
+    {
+        logger.LogError(ex, "App error");
+    }
 
     return new FormResult
     {
@@ -283,7 +289,10 @@ public async Task<FormResult> LoginTwoFactorRecoveryCodeAsync(string email,
             return new FormResult { Succeeded = true };
         }
     }
-    catch { }
+    catch (Exception ex)
+    {
+        logger.LogError(ex, "App error");
+    }
 
     return new FormResult
     {
@@ -380,12 +389,6 @@ Replace the `Login` component. The following version of the `Login` component:
         <div class="alert alert-success">
             You're logged in as @context.User.Identity?.Name.
         </div>
-        @if (!string.IsNullOrEmpty(recoveryCodesRemainingMessage))
-        {
-            <div class="alert alert-warning">
-                @recoveryCodesRemainingMessage
-            </div>
-        }
     </Authorized>
     <NotAuthorized>
         @foreach (var error in formResult.ErrorList)
@@ -466,7 +469,6 @@ Replace the `Login` component. The following version of the `Login` component:
 @code {
     private FormResult formResult = new();
     private bool requiresTwoFactor;
-    private string? recoveryCodesRemainingMessage;
 
     [SupplyParameterFromForm]
     private InputModel Input { get; set; } = new();
@@ -498,9 +500,6 @@ Replace the `Login` component. The following version of the `Login` component:
                     if (formResult.Succeeded)
                     {
                         var twoFactorResponse = await Acct.TwoFactorRequestAsync(new());
-                        recoveryCodesRemainingMessage =
-                            $"You have {twoFactorResponse.RecoveryCodesLeft} recovery " +
-                            "codes remaining.";
                     }
                 }
             }
@@ -662,6 +661,10 @@ If 2FA is enabled, buttons appear to disable 2FA and regenerate recovery codes.
 
                     @if (twoFactorResponse.RecoveryCodes is null)
                     {
+                        <div class="m-1">
+                            Recovery Codes Remaining: 
+                            @twoFactorResponse.RecoveryCodesLeft
+                        </div>
                         <div class="m-1">
                             <button @onclick="GenerateNewCodes" 
                                     class="btn btn-lg btn-primary">

From 9c5525e56fbf6b245146c6a40310754e64e88d57 Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Thu, 5 Dec 2024 16:17:28 -0500
Subject: [PATCH 24/25] Updates

---
 .../qrcodes-for-authenticator-apps.md                    | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index 07d390437e72..ff4ff4d11c65 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -160,6 +160,15 @@ At the top of the `CookieAuthenticationStateProvider.cs` file, add a `using` sta
 using System.Text.Json.Serialization;
 ```
 
+Inject an `ILogger<CookieAuthenticationStateProvider>` to log exceptions in the class:
+
+```diff
+- public class CookieAuthenticationStateProvider(IHttpClientFactory httpClientFactory) 
+-     : AuthenticationStateProvider, IAccountManagement
++ public class CookieAuthenticationStateProvider(IHttpClientFactory httpClientFactory, ILogger<CookieAuthenticationStateProvider> logger) 
++     : AuthenticationStateProvider, IAccountManagement
+```
+
 In the <xref:System.Text.Json.JsonSerializerOptions>, add the <xref:System.Text.Json.JsonSerializerOptions.DefaultIgnoreCondition> option set to <xref:System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull?displayProperty=nameWithType>, which avoids serializing null properties:
 
 ```diff

From 7d71141d11f6d114cb16369e7f1e13cf300ec88f Mon Sep 17 00:00:00 2001
From: guardrex <1622880+guardrex@users.noreply.github.com>
Date: Thu, 5 Dec 2024 16:58:47 -0500
Subject: [PATCH 25/25] Updates

---
 .../standalone-with-identity/qrcodes-for-authenticator-apps.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
index ff4ff4d11c65..353b9227a7d6 100644
--- a/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
+++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity/qrcodes-for-authenticator-apps.md
@@ -165,7 +165,8 @@ Inject an `ILogger<CookieAuthenticationStateProvider>` to log exceptions in the
 ```diff
 - public class CookieAuthenticationStateProvider(IHttpClientFactory httpClientFactory) 
 -     : AuthenticationStateProvider, IAccountManagement
-+ public class CookieAuthenticationStateProvider(IHttpClientFactory httpClientFactory, ILogger<CookieAuthenticationStateProvider> logger) 
++ public class CookieAuthenticationStateProvider(IHttpClientFactory httpClientFactory, 
++     ILogger<CookieAuthenticationStateProvider> logger) 
 +     : AuthenticationStateProvider, IAccountManagement
 ```