Get to know Windows Azure Multi-factor Authentication (MFA)

Azure Multi-Factor Authentication refers to a Characteristic of an authentication system or an authenticator that requires more than one authentication factors for successful authentication. Multi-factor authentication can be performed using a single authentication that provides more than one factor or by a combination of authenticators that provide different factors.

What is Azure Multi-Factor Authentication?

Having two different factors isn’t multi-factor authentication, that’s just having two different instances of the same factor. You need different factors and the more factors that are used the stronger the implementation is considered to be.

A debit card is a perfect example of multi-factor authentication.

Something you have – Card itself

Something you know – Pin Code

One factor alone isn’t enough to complete the transaction, so you are using the two different factors to prove that you are the owner of the bank account. That model has been built into the IT industry with organizations issuing multi-factor credentials to the users. Which could something static like software certificates that used in the combination of a static password or something more dynamic like hardware token that generates the one-time password that changes every 30 seconds?

RSA Secure ID is a well-known example, the user enters the passcode from the device into the browser and the passcode is validated on the server in order to verify they are in the possession of the token. Similarly, the new Microsoft authenticator App can perform the same function by providing the passcode to the user’s mobile device which is a part of the Azure MFA suite of tools.

Concept of Azure Multi-Factor Authentication

Username and password authentication probably aren’t going away any soon but adding another factor of authentication in a combination of username and password is a way to further assurance of the user identity.

Relevant Authentication factors

Memorized secret passwords or passcodes besides using an Azure MFA as the second factor of authentication after using the primary username and password, you see the Azure MFA can also leverage the static pin code assigned to an individual user while using the Azure MFA server on-premises

Out of band device is another authenticator type, it’s a physical device that uniquely addressable and can communicate securely over a distinct communication channel. So, in the case of Azure MFA that device is the mobile phone and the secondary network is the phone network or the internet when using the Microsoft authenticator APP.

Single Factor OTP device OTP stands for one-time passcode it’s a hardware token or software-based token generator installed on a device like mobile phone and generates one-time passcodes, it doesn’t require second channel to receive the passcode. The passcode is generated with a seed value and device clock. The password changes in regular intervals when you input the password to the system you are trying to access the password is verified on the server-side because the same seed value that’s been issue to your token is used to verify on the server.

Risk of Authentication Factors

No, factors or method of authentication is without its risk and threats.

In Something you know category could be compromised in variety of ways, the attacker might get the password using phishing or social engineering attacks or even through malware installed in computer like keyboard logger.

When it comes to Something you have factor, the device could get stolen or the hardware authenticator could get tampered with or software authenticator could get copied with user’s computer. In the case of authentication using phone calls and text messages over the public telephone network these could be intercepted or redirected.

And even in Something you are factor is acceptable to threats, the attacker could copy the user’s fingerprints and create a replica.

But the point is nothing is without its threat. So, the point of multi-factor authentication is to make successful attack to difficult, if an attacker needs to guess memorize secret and hardware authenticator then they much likely to hold to the both and out of band is used to proof of possession of a registered device become even more difficult. The attacker might get the password through a web application when the second factor of authentication send to your phone, they won’t have possession of your device to perform the second factor.

Understanding Azure Multi-Factor Authentication (MFA)

So, now you know the passwords aren’t enough anymore, for better understanding what Multi-Factor Authentication is and how you can verify user’s identity. Azure MFA is service from Microsoft to add MFA to your cloud based and on-premises application.

Azure MFA can verify a user’s identity in a variety of methods:

• Phone call
  • The user responds by hitting #
  • The caller ID number can be chosen
  • Optional Pin code (Azure MFA server)
• Text Message
  • One way
  • Two way
  • Optional Pin code (Azure MFA server)

• Microsoft Authenticator App
  • Push verification
  • Optional Pin code (Azure MFA server)

• OATH Token

In terms of deployments, Azure MFA works like this, a user registers the device with the account, for strictly cloud-based scenarios that account is stored in Azure active directory in the user portal to register phone number is provided in the cloud. It is just a few clicks to add MFA to Azure AD accounts and everything is provide including the portals to mangae Azure MFA along with reporting on authentications. Once the phone is being registered with the user’s identity and whenever a user logs-in to an application is protected with Azure MFA they get an authentication request to their phone, that authentication request is sent by the Azure MFA service in the cloud.

Depending on the method of authentication, the user might receive the passcode and enter that into the Azure AD login page, or they might respond to the verification request using their phone and the verification flows back through the service. as shown in the right side of the below image.

On-premises deployments, the user’s identity can be kept in the Enterprise Active Directory or any LDAP store and you can download the Azure MFA server to install on a physical/virtual server in your environment. Also, this infrastructure could all be running on your VM’s in Azure as well, you can manually add user’s to Azure MFA server or synchronize identities from AD or LDAP and if you aren’t already storing your phone numbers in your directory that information can be added to identities in MFA server. They can seek in a user portal you can install on a webserver to allow users to manage the information themselves, or you can set up some users as administrators of the portal so they can manage groups of other users. Users can change the authentication mode. For EX: from the phone call mode to use the Microsoft Authentication app using the portal.

Key Takeaways

Azure MFA integrates with Azure Active directory, any workload or SaaS application that is using Azure AD, can use Azure MFA authentication with no extra configuration or deployments.

Windows Azure Multi-Factor Authentication is easy to set up, manage, and use – enabling companies to meet their security and compliance requirements while providing a simple sign-in experience for their users. As you can see, this service is universal and provides multiple options to explore. Moreover, you can integrate it directly with your applications – there is an API provided for that.