I have a web app that currently authenticates users using a username & password. The application uses Windows Integrated Authentication today.
I would like to change the system to authenticate using the username & an alternative credential (say a one time code sent via SMS). Once this alternative credential has been verified, the system should consider the user authenticated and allow the user to access the protected resource.
The best approach for this from what I can tell is to write an HTTP Handler that will verify the user's credential, and then using some sort of constrained delegated mechanism, log the user in, so the app would behave the same as it does today.
Am I on the right track? Would somebody be able to point me to some sample code that does what I am looking to do?
Thanks in advance.