2. Intro
• Chicago based
• Active Directory & Identity consultant
– Edgile, Inc – www.edgile.com
• Microsoft MVP for Active Directory since 2003
• Author of Active Directory, 5th Ed from O’Reilly
– You should own a copy!
e-mail: brian.desmond@edgile.com
e-mail: brian@briandesmond.com
website & blog: www.briandesmond.com
@brdesmond
4. What is Multi-Factor Authentication?
• Two or more factors:
– Something you know: a password or PIN
– Something you have: a phone, smart card or hardware
token
– Something you are: a fingerprint, retinal scan or other
biometric
• Even stronger with multiple communication channels
5. Why Multi-Factor Authentication?
• The concept of keeping identities and data
behind the firewall is changing
– Users are working remotely
– Employee owned devices are connecting to the
network
– Applications and services are moving to the cloud
• Regulatory compliance requirements
6. Solutions in the Market Place Today
Hardware Tokens
Smart Cards
Certificates
Phones
7. Hardware Tokens
• Key fob or other device that generates a one
time passcode (OTP) every 60 seconds
• Expensive to distribute, replace, and maintain
– Another item for end users to carry and remember
• Single channel of communication
• Complex to extend to cloud/SaaS services
8. Smart Cards
• Credit card or USB token with a user certificate
• Requires special hardware to read card
– Difficult to work from non-company issued devices
• Complex infrastructure to support a proper PKI
• End users must keep track of card or token
– Issuance and replacement procedures may require inperson visit
9. Azure Multi-Factor Authentication
• Authenticate via any registered mobile or desk
phone or phone app
– Optional PIN to proof the call
• No additional hardware requirement
• Two channels of communication adds security
11. Integrating Existing Systems
• Windows Azure MFA works with existing onpremises applications and services
• SAML and ADFS integration enables SaaS apps
to transparently take advantage of MFA
• Azure Active Directory enables MFA for
Office365 and AAD integrated applications
12. On-Premises Applications and Services
• MFA Server installed on-premises to broker authentication
–
–
–
–
–
–
RADIUS
LDAP
IIS Applications
ADFS/SAML
Remote Desktop Services
Custom integration via SDK
• MFA Server connects to Azure MFA cloud service to
perform authentication
13. SaaS and Federated Applications
• ADFS in Windows Server 2012 R2 supports multi-factor
authentication
– MFA Server will also work with ADFS 2.0/2.1
• Authentication policies enable flexible deployment of
multi-factor authentication
– Device type
– User location
– Specific applications
14. Azure and Office365
• Link Azure MFA to your Azure Active Directory
• Enable users for MFA and they will be prompted to
register on their next sign-in
• Experience with Office applications is not ideal today
– Application specific passwords required for each non-web
application
• Great for securing your administrative accounts
15. Deployment
• Two major steps to taking advantage of Azure MFA:
– Register user phone information
– Configure applications and services to use MFA
• Plan for new support dependencies
– Forgotten PINs
– Lost/stolen phones
• Don’t forget to involve your security team early-on
16. On-Premises Server
• Download from the Azure MFA Portal
• Post-installation wizard will prompt for activation
credentials
– Generate these on the Azure MFA server download page
– Credentials expire after 60 seconds
• Multiple instances can be configured to replicate
– Don’t forget to backup the MFA server database
17. Authentication Methods
• Voice Call
– Optional PIN and/or voice print analysis
• SMS Text Message 1-way or 2-way
– 1-way includes a one time pass code
– 2-way requires user to reply with PIN
• App
– Available for iOS, Android, Windows Phone
– Push notification triggers app to approve
authentication attempt
18. User Registration
• Phone numbers must be associated with each
user to enable authentication
• On-premises, phone numbers can be sourced
from Active Directory or via end user self-service
registration
• In Windows Azure, phone numbers are currently
sourced via end user self-service
19. Registration Portal
• Cloud users can be prompted by Windows
Azure to register their phone details
• On-premises server includes an optional user
registration portal
– Populates the Windows Azure MFA server
database
20. Registration Processes
• Think about how you will get all of your users
registered
– MFA Server can be configured to automatically email
new users
• Azure MFA SDK can be used to build custom
registration processes
– You may not want to create an additional place for
users to visit for IT services
21. Building Applications with the SDK
• Web service enables developers to integrate
with on-premises Azure MFA server
• Typical scenarios include tightly integrating
multi-factor authentication and building
custom user management / registration
portals
23. Summary
• Azure MFA is a simple and secure solution for
protecting existing and new applications
• Works with on-premises and cloud hosted
applications
• No expensive tokens or complex end user
training is required
First the user signs in from any device using their existing account credentials. If the user is signing into an on-premises application, the Multi-Factor Server that is installed at the customer’s site intercepts the authentication request. First it checks the username and password against the user directory. If the correct credentials are entered, a request is sent to the Multi-Factor Authenticationcloud service. The service sends the authentication request to the user’s phone. [click] Once the user has authenticated, they are instantly signed into the application. [click] The are a number of ways to configure the service to secure cloud apps. First, the on-premises multi-factor server can be used with Active Directory Federation Services or another SAML application for single sign in to cloud applications. [click] For apps that use Windows Azure Active Directory, the directory can call the Multi-Factor Authenticationcloud service directly. [click] Or developers can build multi-factor into their custom apps using one of the Software Development Kits.
Convenience & SimplicityWith Multi-Factor Authentication from Windows Azure, there are no devices or certificates to purchase, provision, and maintain. It works with the user’s existing landline phone or mobile device.The authentication process is so simple. It takes just seconds and no special training is required. Unlike hardware tokens, users replace their own lost or broken phones.Users manage their own authentication methods and phone numbers, eliminating calls to your help desk for basic changes.Multi-Factor Authentication can synchronize with your existing Active Directory or LDAP directory and is built into Windows Azure Active Directory, so user management is centralized. Enrollment is fully automated. For on-premises identities, newusers can be prompted via an automated email to set up multi-factor using an on-premises web portal. For cloud identities, users are prompted to complete set up the next time they sign in. This allows for rapid deployment to large numbers of geographically dispersed users.Users get easy, anywhere access and you get a solution that’s easy to manage.ScaleThe service works out-of-the-box with a wide range of on-premises applications, such as remote access VPNs, web applications, virtual desktops, single sign-on systems and much more. This includes Microsoft systems like: Microsoft VPN/RRASRemote Desktop GatewayUniversal Access GatewayTerminal ServicesSharePointOutlook Web AccessAs well as third party VPNs and virtual desktop systems.The service supports federation to cloud services using Active Directory Federation Services as well as other SAML-based applications.It is built into Windows Azure AD and works instantly with any applications that use the directory. This includes:Office 365Dynamics CRM OnlineWindows Azure PortalWindows Intune3rd Party ApplicationsAnd applications that use the new Azure AD App Access capabilityA Software Development Kit is available for use with custom applications and directories.The reliable, scalable service supports high-volume, mission critical applications.SecurityIts out-of-band push, call, and text methods offer added protection against malware and man-in-the-middle attacks.If the user does not approve an authentication request when prompted or cannot be reached for authentication, access is denied. However, because the user’s credentials are verified before the Multi-Factor Authentication service is triggered, this is an indication that the user’s password has been compromised. In some cases, the user will have the option to submit a fraud alert during the authentication request. This will prevent further login attempts and sends a notification to your IT department. You can then work with the user to reset the user’s password. A PIN option where available offers an additional layer of security by requiring users to also enter a secret PIN to authenticate. Rules regarding PIN strength and expiration can be set by the admin. If a user’s PIN has expired, for example, they will be prompted the set a new PIN the next time they are prompted for multi-factor authentication.On-demand and scheduled reports are available for auditing of authentication requests. Multi-Factor Authentication enables compliance with NIST 800-63 Level 3, HIPAA, PCI DSS, and other regulatory requirements for multi-factor authentication.