Protect Your Applications with Windows Azure Multi-Factor Authentication

Brian Desmond

Intro• Chicago based• Active Directory & Identity consultant

– Edgile, Inc – www.edgile.com• Microsoft MVP for Active Directory since 2003• Author of Active Directory, 5th Ed from O’Reilly

– You should own a copy!e-mail: brian.desmond@edgile.com e-mail: brian@briandesmond.com

website & blog: www.briandesmond.com

@brdesmond

Agenda• Intro to Multi-Factor Authentication• Windows Azure Multi-Factor Authentication• Configuration and Deployment• Demo• Wrap-Up

What is Multi-Factor Authentication?• Two or more factors:

– Something you know: a password or PIN– Something you have: a phone, smart card or hardware

token– Something you are: a fingerprint, retinal scan or other

biometric• Even stronger with multiple communication channels

Why Multi-Factor Authentication?• The concept of keeping identities and data behind

the firewall is changing– Users are working remotely– Employee owned devices are connecting to the network– Applications and services are moving to the cloud

• Regulatory compliance requirements

Solutions in the Market Place Today

0 1 2 3 4

Hardware Tokens

Certificates

Smart Cards

Phones

Hardware Tokens• Key fob or other device that generates a one

time passcode (OTP) every 60 seconds• Expensive to distribute, replace, and maintain– Another item for end users to carry and remember

• Single channel of communication• Complex to extend to cloud/SaaS services

Smart Cards• Credit card or USB token with a user certificate• Requires special hardware to read card– Difficult to work from non-company issued devices

• Complex infrastructure to support a proper PKI• End users must keep track of card or token– Issuance and replacement procedures may require in-person

visit

Azure Multi-Factor Authentication• Authenticate via any registered mobile or desk

phone or phone app– Optional PIN to proof the call

• No additional hardware requirement• Two channels of communication adds security

Windows Server AD or Other LDAP

On-Premises Apps

RADIUSLDAPIIS

RDS/VDI

Multi-FactorAuthenticationServer

Multi-FactorAuthenticationService

Cloud Apps

SAML

Users must also authenticate using their phone or mobile device before access is granted.2

Windows AzureActive Directory

.NET, Java, PHP…

Users sign in from any device using their existing username/password.1

Integrating Existing Systems• Windows Azure MFA works with existing on-

premises applications and services• SAML and ADFS integration enables SaaS apps

to transparently take advantage of MFA• Azure Active Directory enables MFA for

Office365 and AAD integrated applications

On-Premises Applications and Services• MFA Server installed on-premises to broker authentication

– RADIUS– LDAP– IIS Applications– ADFS/SAML– Remote Desktop Services– Custom integration via SDK

• MFA Server connects to Azure MFA cloud service to perform authentication

SaaS and Federated Applications• ADFS in Windows Server 2012 R2 supports multi-factor

authentication– MFA Server will also work with ADFS 2.0/2.1

• Authentication policies enable flexible deployment of multi-factor authentication– Device type– User location– Specific applications

Azure and Office365• Link Azure MFA to your Azure Active Directory• Enable users for MFA and they will be prompted to

register on their next sign-in• Experience with Office applications is not ideal today

– Application specific passwords required for each non-web application

• Great for securing your administrative accounts

Deployment• Two major steps to taking advantage of Azure MFA:

– Register user phone information– Configure applications and services to use MFA

• Plan for new support dependencies– Forgotten PINs– Lost/stolen phones

• Don’t forget to involve your security team early-on

On-Premises Server• Download from the Azure MFA Portal• Post-installation wizard will prompt for activation

credentials– Generate these on the Azure MFA server download page– Credentials expire after 60 seconds

• Multiple instances can be configured to replicate– Don’t forget to backup the MFA server database

Authentication Methods• Voice Call

– Optional PIN and/or voice print analysis• SMS Text Message 1-way or 2-way

– 1-way includes a one time pass code– 2-way requires user to reply with PIN

• App– Available for iOS, Android, Windows Phone– Push notification triggers app to approve authentication

attempt

User Registration• Phone numbers must be associated with each user to

enable authentication• On-premises, phone numbers can be sourced from

Active Directory or via end user self-service registration

• In Windows Azure, phone numbers are currently sourced via end user self-service

Registration Portal• Cloud users can be prompted by Windows

Azure to register their phone details• On-premises server includes an optional user

registration portal– Populates the Windows Azure MFA server

database

Registration Processes• Think about how you will get all of your users registered– MFA Server can be configured to automatically email new

users• Azure MFA SDK can be used to build custom registration

processes– You may not want to create an additional place for users to

visit for IT services

Building Applications with the SDK• Web service enables developers to integrate

with on-premises Azure MFA server• Typical scenarios include tightly integrating

multi-factor authentication and building custom user management / registration portals

DEMO

Summary• Azure MFA is a simple and secure solution for

protecting existing and new applications• Works with on-premises and cloud hosted

applications• No expensive tokens or complex end user

training is required

Questions?

Please evaluate the session before you leave