I'm writing a custom password reset application that uses a validation technique that doesn't fit cleanly with ASP.NET Membership Provider's challenge questions.

Namely I need to invoke a workflow and collect information from the end user (backup phone number, email address) after the user logs in using a custom form.

The only way I know to create a cookie-based session (without too much "innovation" on my part) is to use WIF.

• What other standard objects can I use with ASP.NET MVC to create an authenticated session that works with non-windows user stores?

Ideally I can store "role" or claim information in the session object such as "admin", "departmentXadmin", "normalUser", or "restrictedUser"

The workflow would look like this:

1. User logs in with username and password
2. If the username and pw are correct a (stateless) cookie based session is created
3. The user gets redirected to a HTML form that allows them to enter their backup phone number (for SMS dual factor), or validate it if already set.
4. The user can then change their password using the form provided

The "forgot password" would look like this

1. User requests OTP code to be sent to the phone
2. User logs in using username and OTP
3. If the OTP is valid and not expired then create a cookie based session and redirect to a form that allows password reset
4. Show password reset form, and process results.