We are using Asp.net Identity (currently version 2). For the purpose of local user authentication, the framework expects clear-text passwords. As far as I understand, this is not the safe method to transfer passwords.

A quick answer can be: use ssl to encrypt password transfer, but this is not a viable solution to everyone.

This is what we think: The logon form is provided with a one-time random token, then it hashes the password, attaches it to the token and hashes it again. The result is sent to the server. The server has the hash of the password and the random token, concats them together and if their hash equals what the client sent, proceeds with the logon process.

This is not possible with the current api provided by Asp.net identity: It expects raw password.

What should we do? Rely only on ssl? Is there a way to secure password transfer without ssl?

The web relies on https for securing sensitive information like passwords. I'd say follow the standard. Your hashing algorithm isn't as tried and true as decades of https development.