Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | nordic-infrastructure-conference |
View: | 2,024 times |
Download: | 1 times |
Protect Your Applications with Windows Azure Multi-Factor Authentication
Brian Desmond
Intro• Chicago based• Active Directory & Identity consultant
– Edgile, Inc – www.edgile.com• Microsoft MVP for Active Directory since 2003• Author of Active Directory, 5th Ed from O’Reilly
– You should own a copy!e-mail: [email protected] e-mail: [email protected]
website & blog: www.briandesmond.com
@brdesmond
Agenda• Intro to Multi-Factor Authentication• Windows Azure Multi-Factor Authentication• Configuration and Deployment• Demo• Wrap-Up
What is Multi-Factor Authentication?• Two or more factors:
– Something you know: a password or PIN– Something you have: a phone, smart card or hardware
token– Something you are: a fingerprint, retinal scan or other
biometric• Even stronger with multiple communication channels
Why Multi-Factor Authentication?• The concept of keeping identities and data behind
the firewall is changing– Users are working remotely– Employee owned devices are connecting to the network– Applications and services are moving to the cloud
• Regulatory compliance requirements
Solutions in the Market Place Today
0 1 2 3 4
Hardware Tokens
Certificates
Smart Cards
Phones
Hardware Tokens• Key fob or other device that generates a one
time passcode (OTP) every 60 seconds• Expensive to distribute, replace, and maintain– Another item for end users to carry and remember
• Single channel of communication• Complex to extend to cloud/SaaS services
Smart Cards• Credit card or USB token with a user certificate• Requires special hardware to read card– Difficult to work from non-company issued devices
• Complex infrastructure to support a proper PKI• End users must keep track of card or token– Issuance and replacement procedures may require in-person
visit
Azure Multi-Factor Authentication• Authenticate via any registered mobile or desk
phone or phone app– Optional PIN to proof the call
• No additional hardware requirement• Two channels of communication adds security
Windows Server AD or Other LDAP
On-Premises Apps
RADIUSLDAPIIS
RDS/VDI
Multi-FactorAuthenticationServer
Multi-FactorAuthenticationService
Cloud Apps
SAML
Users must also authenticate using their phone or mobile device before access is granted.2
Windows AzureActive Directory
.NET, Java, PHP…
Users sign in from any device using their existing username/password.1
Integrating Existing Systems• Windows Azure MFA works with existing on-
premises applications and services• SAML and ADFS integration enables SaaS apps
to transparently take advantage of MFA• Azure Active Directory enables MFA for
Office365 and AAD integrated applications
On-Premises Applications and Services• MFA Server installed on-premises to broker authentication
– RADIUS– LDAP– IIS Applications– ADFS/SAML– Remote Desktop Services– Custom integration via SDK
• MFA Server connects to Azure MFA cloud service to perform authentication
SaaS and Federated Applications• ADFS in Windows Server 2012 R2 supports multi-factor
authentication– MFA Server will also work with ADFS 2.0/2.1
• Authentication policies enable flexible deployment of multi-factor authentication– Device type– User location– Specific applications
Azure and Office365• Link Azure MFA to your Azure Active Directory• Enable users for MFA and they will be prompted to
register on their next sign-in• Experience with Office applications is not ideal today
– Application specific passwords required for each non-web application
• Great for securing your administrative accounts
Deployment• Two major steps to taking advantage of Azure MFA:
– Register user phone information– Configure applications and services to use MFA
• Plan for new support dependencies– Forgotten PINs– Lost/stolen phones
• Don’t forget to involve your security team early-on
On-Premises Server• Download from the Azure MFA Portal• Post-installation wizard will prompt for activation
credentials– Generate these on the Azure MFA server download page– Credentials expire after 60 seconds
• Multiple instances can be configured to replicate– Don’t forget to backup the MFA server database
Authentication Methods• Voice Call
– Optional PIN and/or voice print analysis• SMS Text Message 1-way or 2-way
– 1-way includes a one time pass code– 2-way requires user to reply with PIN
• App– Available for iOS, Android, Windows Phone– Push notification triggers app to approve authentication
attempt
User Registration• Phone numbers must be associated with each user to
enable authentication• On-premises, phone numbers can be sourced from
Active Directory or via end user self-service registration
• In Windows Azure, phone numbers are currently sourced via end user self-service
Registration Portal• Cloud users can be prompted by Windows
Azure to register their phone details• On-premises server includes an optional user
registration portal– Populates the Windows Azure MFA server
database
Registration Processes• Think about how you will get all of your users registered– MFA Server can be configured to automatically email new
users• Azure MFA SDK can be used to build custom registration
processes– You may not want to create an additional place for users to
visit for IT services
Building Applications with the SDK• Web service enables developers to integrate
with on-premises Azure MFA server• Typical scenarios include tightly integrating
multi-factor authentication and building custom user management / registration portals
DEMO
Summary• Azure MFA is a simple and secure solution for
protecting existing and new applications• Works with on-premises and cloud hosted
applications• No expensive tokens or complex end user
training is required
Questions?
Please evaluate the session before you leave