Your SlideShare is downloading. ×
Windows Azure Multi-Factor Authentication, presentation et cas d’usage
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Windows Azure Multi-Factor Authentication, presentation et cas d’usage


Published on

Venez découvrir Windows Azure Multi-Factor Authentification (ex-PhoneFactor) et comment il est devenu simple d'ajouter un second facteur d'authentification pour vos services en ligne (Windows Azure, …

Venez découvrir Windows Azure Multi-Factor Authentification (ex-PhoneFactor) et comment il est devenu simple d'ajouter un second facteur d'authentification pour vos services en ligne (Windows Azure, Office 365 et Dynamics CRM Online existants) ou vos solutions internes, en quelques clics seulement. Le second facteur peut être désormais un simple appel téléphonique, un SMS, une application mobile, …

Speakers : Alexandre Giraud (3SR), Thomas Varlet (Microsoft), Philippe Beraud (Microsoft)

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Multi-factor authentication, also commonly referred to as two-factor authentication, is a best practice for securing user access. It works by requiring any two or more of the following:• Something you know (typically a password); • Something you have (a trusted device that is not easily duplicated); or • Something you are (biometrics); and• It is stronger when factors are verified using distinct (or out-of-band) channels. The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. On the other hand, if the user happens to lose the device, the finder of that device won’t be able to use it unless he or she also knows the user’s password.The most common multi-factor methods include hardware tokens like RSA SecurID, certificates, smartcards, and increasingly phone-based authentication methods, which leverage the user’s telephone as the trusted device for the second factor of authentication.
  • Windows Azure Multi-Factor Authentication is powered by the market-leading PhoneFactor service acquired by Microsoft in 2012. The service is trusted by thousands of enterprise customers, healthcare organizations, banking and financial services companies, as well as government agencies at the state, local and federal level. The service authenticates millions of logins and financial transaction around the globe each month. It is battle tested and enterprise-ready. While Multi-Factor Authentication is part of the Windows Azure family and is powered by a cloud service, it is often deployed to secure on-premises applications in conjunction with an on-premises directory like Windows Server Active Directory. It supports on-premises, cloud, and hybrid scenarios.
  • Multi-Factor Authentication offers the additional security you demand using the phones your users already carry. Multiple phone-based authentication methods are available, allowing users to choose the one that works best for them. And, support for multiple methods ensures additional authentication is always available.Multi-FactorAuthentication apps are available for Windows Phone, iOS phones and tablets, and Android devices. Users download the free app from the device store and activate it using a code provided during set up. When the user signs in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cell or Wi-Fi access is required. For offline authentication, the app works like a software token to generate a one-time passcode that is entered during sign in. The one-time-passcode method is comparable to software or soft tokens solutions offered by vendors like RSA and Gemalto.Automated phone calls are placed by the Multi-Factor Authentication service to any phone, landline or mobile. The user simply answers the call and presses # on the phone keypad to complete their sign in.Text messages are sent by the Multi-Factor Authentication service to any mobile phone. The text message contains a one-time passcode. The user is prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.
  • First the user signs in from any device using their existing account credentials. If the user is signing into an on-premises application, the Multi-Factor Server that is installed at the customer’s site intercepts the authentication request. First it checks the username and password against the user directory. If the correct credentials are entered, a request is sent to the Multi-Factor Authenticationcloud service. The service sends the authentication request to the user’s phone. [click] Once the user has authenticated, they are instantly signed into the application. [click] The are a number of ways to configure the service to secure cloud apps. First, the on-premises multi-factor server can be used with Active Directory Federation Services or another SAML application for single sign in to cloud applications. [click] For apps that use Windows Azure Active Directory, the directory can call the Multi-Factor Authenticationcloud service directly. [click] Or developers can build multi-factor into their custom apps using one of the Software Development Kits.
  • Security is often at odds with simplicity, but Windows Azure Multi-Factor Authentication affords you the benefit of both security AND convenience. As more enterprise workloads move to the cloud and organizations build cloud-based applications for partners and customers, multi-factor will be required for a growing number of employees, partners, and customers to secure a growing number of applications. Systems that are cumbersome to set up, manage, and use simply won’t scale to meet this demand. Windows Azure Multi-Factor Authentication offers simple set up, centralized user management, and an easy-to-use form factor so it can be quickly enabled for large numbers of users and applications. The service is backed by a robust, scalable service that is ready to support your enterprise today and in the future.
  • Traditionally, strong authentication has been time consuming to deploy and has required significant ongoing resources to support. And it was a hassle for users who had to carry extra devices or whose access was limited to computers with smartcard readers or that had certificates installed. With Multi-Factor Authentication from Windows Azure, there are no devices or certificates to purchase, provision, and maintain. It works with the user’s existing landline phone or mobile device.The authentication process is so simple. It takes just seconds and no special training is required. Unlike hardware tokens, users replace their own lost or broken phones.Users manage their own authentication methods and phone numbers, eliminating calls to your help desk for basic changes.Multi-Factor Authentication can synchronize with your existing Active Directory or LDAP directory and is built into Windows Azure Active Directory, so user management is centralized. Enrollment is fully automated. For on-premises identities, newusers can be prompted via an automated email to set up multi-factor using an on-premises web portal. For cloud identities, users are prompted to complete set up the next time they sign in. This allows for rapid deployment to large numbers of geographically dispersed users.Users get easy, anywhere access and you get a solution that’s easy to manage.
  • Windows Azure Multi-Factor Authentication scales to support the needs of all of your users and applications.The service works out-of-the-box with a wide range of on-premises applications, such as remote access VPNs, web applications, virtual desktops, single sign-on systems and much more. This includes Microsoft systems like: Microsoft VPN/RRASRemote Desktop GatewayUniversal Access GatewayTerminal ServicesSharePointOutlook Web AccessAs well as third party VPNs and virtual desktop systems.The service supports federation to cloud services using Active Directory Federation Services as well as other SAML-based applications.It is built into Windows Azure AD and works instantly with any applications that use the directory. This includes:Office 365Dynamics CRM OnlineWindows Azure PortalWindows Intune3rd Party ApplicationsAnd applications that use the new Azure AD App Access capabilityA Software Development Kit is available for use with custom applications and directories.The reliable, scalable service supports high-volume, mission critical applications.
  • The Multi-Factor Authentication service offers strong protection against even the most sophisticated attacks. Its out-of-band push, call, and text methods offer added protection against malware and man-in-the-middle attacks.If the user does not approve an authentication request when prompted or cannot be reached for authentication, access is denied. However, because the user’s credentials are verified before the Multi-Factor Authentication service is triggered, this is an indication that the user’s password has been compromised. In some cases, the user will have the option to submit a fraud alert during the authentication request. This will prevent further login attempts and sends a notification to your IT department. You can then work with the user to reset the user’s password. A PIN option where available offers an additional layer of security by requiring users to also enter a secret PIN to authenticate. Rules regarding PIN strength and expiration can be set by the admin. If a user’s PIN has expired, for example, they will be prompted the set a new PIN the next time they are prompted for multi-factor authentication.On-demand and scheduled reports are available for auditing of authentication requests. Multi-Factor Authentication enables compliance with NIST 800-63 Level 3, HIPAA, PCI DSS, and other regulatory requirements for multi-factor authentication.
  • The above papers are available on the Microsoft Download Center:Active Directory from the on-premises to the Cloud: Office 365 Single Sign-On with AD FS 2.0: 365 Single Sign-On with Shibboleth 2.0: 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure:
  • Transcript

    • 1. Windows Azure Multi-Factor Authentication présentation et cas d’usage Alexandre Giraud | 3SR Philippe Beraud | Microsoft France Thomas Varlet | Microsoft France, @Alex_Giraud, @philberd, @TomtomAtMs Sécurité
    • 2. Donnez votre avis ! Depuis votre smartphone sur : De nombreux lots à gagner toute les heures !!! Claviers, souris et jeux Microsoft… Merci de nous aider à améliorer les TechDays ! #mstechdays Sécurité
    • 3. Objectifs de notre session Disposer d’une meilleure compréhension : • De l'importance du rôle que joue l'authentification multi-facteurs dans la sécurisation des applications et des données • Des principaux avantages et fonctionnalités de Windows Azure Multi-Factor Authentication (MFA) • De la façon dont l'authentification multi-facteurs prends en charge les scénarii cloud, à demeure et hybrides #mstechdays Sécurité
    • 4. Qu’est-ce que l’authentification multifacteurs ? Deux des facteurs suivants : Quelque chose que vous connaissez : un mot de passe ou un code PIN Quelque chose que vous avez : un téléphone, une carte de crédit ou un jeton matériel Quelque chose qui vous caractérise : une empreinte digitale, une empreinte rétinienne ou tout autre élément de biométrie Plus forte en utilisant deux canaux différents (hors bande).
    • 5. Qu’est-ce que Windows Azure Multi-Factor Authentication ? Fondé sur la technologie PhoneFactor • Une acquisition de Microsoft en 2012 • Reconnue par des milliers d'entreprises pour authentifier les accès de leurs collaborateurs, partenaires et clients Sécurise les applications et les identités dans le cloud et à demeure
    • 6. Quelle est l’expérience utilisateur ? *MFA Server uniquement aujourd’hui #mstechdays Sécurité
    • 7. Quelle est l’expérience utilisateur ? #mstechdays Sécurité
    • 8. 1 2
    • 9. SÉCURISATION DE L’ACCÈS À OFFICE 365 Illustration de l’expérience utilisateur #mstechdays Sécurité Design/UX/UI
    • 10. #mstechdays Sécurité
    • 11. Aucun appareils ou certificats à acquérir, peupler, et maintenir Aucune formation des utilisateurs n’est nécessaire Les utilisateurs remplacent leurs propres téléphones perdus ou cassés Les utilisateurs gèrent leurs propres numéros de téléphone et les méthodes d'authentification associées Intégration avec le référentiel existant pour une gestion centralisée des utilisateurs et un enrôlement automatisé
    • 12. ENRÔLEMENT DES UTILISATEURS Expérience utilisateur pour la gestion des appareils et du type d’authentification #mstechdays Sécurité Design/UX/UI
    • 13. Fonctionne avec les principales applications et services à demeure Prends en charge AD FS ainsi que les applications basées sur SAML (pour la fédération vers le Cloud) Directement intégré avec Windows Azure Active Directory pour une utilisation avec des applications cloud SDK pour l’intégration avec les annuaires et les applications personnalisées Un service fiable et évolutif pour prendre en charge des scénarii critiques pour l’entreprise avec une volumétrie élevée
    • 14. INTÉGRATION AVEC AD FS A DEMEURE Pour l’accès sécurisé aux ressources Cloud #mstechdays Sécurité Design/UX/UI
    • 15. SÉCURISATION RDS GATEWAY Pour l’accès à des applications de l’entreprise #mstechdays Sécurité Design/UX/UI
    • 16. SÉCURISATION DES APPLICATIONS ET DES Utilisation du SDK* avec une application PHP PROCESSUS MÉTIER *SDK disponible pour .NET, Java, PHP, Perl et Ruby #mstechdays Sécurité Design/UX/UI
    • 17. Authentification forte multi-facteurs Alerte à l’usage frauduleux en temps réel Option code PIN Journalisation et reporting à des fins d’audit Permet la conformité avec NIST 800-63 niveau 3, HIPAA, PCI DSS, et d’autres exigences réglementaires
    • 18. REPORTING ET AUDIT Fonctions avancées #mstechdays Sécurité Design/UX/UI
    • 19. Tarifs et disponibilité Offre autonome Windows Azure MFA • Comprends le service Windows Azure MFA, MFA Server, SDK, etc. • 1,5 € par utilisateur – ou – 1,5 € pour 10 authentifications • Disponible dans AD, AD FS, et Windows Azure AD pour améliorer la sécurité d’accès à une grande variété d’applications à demeure et dans le Cloud • Disponible pour les accès VPNs, les sessions à distance, les applications Web et les applications personnalisées • Actuellement hébergé dans les centres de données aux EtatsUnis, en cours d’extension à l’Europe #mstechdays Sécurité
    • 20. Tarifs et disponibilité Offre MFA pour Office 365 • Incluse dans le SKU Office 365 • Gratuit pour les administrateurs… • …et désormais pour les utilisateurs Office 365 ! • Pour sécuriser les ressources Office 365 uniquement #mstechdays Sécurité
    • 21. Windows Azure MFA vs. MFA pour Office 365 Les administrateurs peuvent activer/appliquer MFA aux utilisateurs finaux   Utilisation de l’App mobile (notifications et OTP) comme second facteur   Utilisation d’appel téléphonique comme second facteur d’authentification   Utilisation de SMS comme second facteur d’authentification   Mots de passe applicatif pour les clients riches (par ex. Outlook, Lync)   Message vocal Microsoft lus pendant un appel MFA   Messages vocaux personnalisés lus pendant un appel MFA  Alerte fraude  Kit de développement logiciel (SDK) MFA  Rapports de sécurité  MFA pour les applications à demeure/ MFA Server.  Contournement à usage unique  Bloquer/Débloquer des utilisateurs  Numéro de téléphone de l’ID de l’appelant personnalisable  Confirmation d’évènement 
    • 22. En guise de conclusion Rappel des objectifs de notre session : Disposer d’une meilleure compréhension : • • • De l'importance du rôle que joue l'authentification multi-facteurs dans la sécurisation des applications et des données Des principaux avantages et fonctionnalités de Windows Azure MFA De la façon dont l'authentification multi-facteurs prends en charge les scénarii cloud, à demeure et hybrides Windows Azure MFA peut vous aider à atteindre vos objectifs en matière de sécurité et de conformité ! Ajouter un second facteur d’authentification à vos applications à demeure et dans le Cloud n’a jamais été #mstechdays aussi facile :) Sécurité
    • 23. Livres blancs et guides Etape-par-Etape Leverage Windows Azure Multi-Factor Authentication with Windows Azure AD Leverage Windows Azure Multi-Factor Authentication Server for Windows Azure AD single sign-on with AD FS
    • 24. Pour aller au-delà Version d’essai Windows Azure
    • 25. Testez dès maintenant Windows Azure ! Partenaires : MSDN : bo 150€ de ressources er Poursuivez la discussion " al
    • 26. Digital is business