public async Task CanResetAuthenticator() { // Arrange var principals = new List <ClaimsPrincipal>(); void ConfigureTestServices(IServiceCollection services) => services .SetupTestThirdPartyLogin() .SetupGetUserClaimsPrincipal(user => principals.Add(user), IdentityConstants.ApplicationScheme); var server = ServerFactory .WithWebHostBuilder(whb => whb.ConfigureTestServices(ConfigureTestServices)); var client = server.CreateClient(); var newClient = server.CreateClient(); var userName = $"{Guid.NewGuid()}@example.com"; var password = $"!Test.Password1$"; // Act var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password); var showRecoveryCodes = await UserStories.EnableTwoFactorAuthentication(loggedIn); var twoFactorKey = showRecoveryCodes.Context.AuthenticatorKey; // Use a new client to simulate a new browser session. await UserStories.AcceptCookiePolicy(newClient); var index = await UserStories.LoginExistingUser2FaAsync(newClient, userName, password, twoFactorKey); await UserStories.ResetAuthenticator(index); // RefreshSignIn generates a new security stamp claim AssertClaimsNotEqual(principals[1], principals[2], "AspNet.Identity.SecurityStamp"); }