Brian Desmond - Quickly and easily protect your applications and services with multi factor authentication
•Download as PPTX, PDF•
0 likes•3,367 views
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Brian Desmond - Quickly and easily protect your applications and services with multi factor authentication
Similar to Brian Desmond - Quickly and easily protect your applications and services with multi factor authentication (20)
More from Nordic Infrastructure Conference
More from Nordic Infrastructure Conference (20)
Recently uploaded
Recently uploaded (20)
Brian Desmond - Quickly and easily protect your applications and services with multi factor authentication
- 1. Protect Your Applications with Windows Azure Multi-Factor Authentication Brian Desmond
- 2. Intro • Chicago based • Active Directory & Identity consultant – Edgile, Inc – www.edgile.com • Microsoft MVP for Active Directory since 2003 • Author of Active Directory, 5th Ed from O’Reilly – You should own a copy! e-mail: brian.desmond@edgile.com e-mail: brian@briandesmond.com website & blog: www.briandesmond.com @brdesmond
- 3. Agenda • • • • • Intro to Multi-Factor Authentication Windows Azure Multi-Factor Authentication Configuration and Deployment Demo Wrap-Up
- 4. What is Multi-Factor Authentication? • Two or more factors: – Something you know: a password or PIN – Something you have: a phone, smart card or hardware token – Something you are: a fingerprint, retinal scan or other biometric • Even stronger with multiple communication channels
- 5. Why Multi-Factor Authentication? • The concept of keeping identities and data behind the firewall is changing – Users are working remotely – Employee owned devices are connecting to the network – Applications and services are moving to the cloud • Regulatory compliance requirements
- 6. Solutions in the Market Place Today Hardware Tokens Smart Cards Certificates Phones
- 7. Hardware Tokens • Key fob or other device that generates a one time passcode (OTP) every 60 seconds • Expensive to distribute, replace, and maintain – Another item for end users to carry and remember • Single channel of communication • Complex to extend to cloud/SaaS services
- 8. Smart Cards • Credit card or USB token with a user certificate • Requires special hardware to read card – Difficult to work from non-company issued devices • Complex infrastructure to support a proper PKI • End users must keep track of card or token – Issuance and replacement procedures may require inperson visit
- 9. Azure Multi-Factor Authentication • Authenticate via any registered mobile or desk phone or phone app – Optional PIN to proof the call • No additional hardware requirement • Two channels of communication adds security
- 10. 1 2 RADIUS LDAP IIS RDS/VDI Multi-Factor Authentication Server Windows Server AD or Other LDAP Multi-Factor Authentication Service
- 11. Integrating Existing Systems • Windows Azure MFA works with existing onpremises applications and services • SAML and ADFS integration enables SaaS apps to transparently take advantage of MFA • Azure Active Directory enables MFA for Office365 and AAD integrated applications
- 12. On-Premises Applications and Services • MFA Server installed on-premises to broker authentication – – – – – – RADIUS LDAP IIS Applications ADFS/SAML Remote Desktop Services Custom integration via SDK • MFA Server connects to Azure MFA cloud service to perform authentication
- 13. SaaS and Federated Applications • ADFS in Windows Server 2012 R2 supports multi-factor authentication – MFA Server will also work with ADFS 2.0/2.1 • Authentication policies enable flexible deployment of multi-factor authentication – Device type – User location – Specific applications
- 14. Azure and Office365 • Link Azure MFA to your Azure Active Directory • Enable users for MFA and they will be prompted to register on their next sign-in • Experience with Office applications is not ideal today – Application specific passwords required for each non-web application • Great for securing your administrative accounts
- 15. Deployment • Two major steps to taking advantage of Azure MFA: – Register user phone information – Configure applications and services to use MFA • Plan for new support dependencies – Forgotten PINs – Lost/stolen phones • Don’t forget to involve your security team early-on
- 16. On-Premises Server • Download from the Azure MFA Portal • Post-installation wizard will prompt for activation credentials – Generate these on the Azure MFA server download page – Credentials expire after 60 seconds • Multiple instances can be configured to replicate – Don’t forget to backup the MFA server database
- 17. Authentication Methods • Voice Call – Optional PIN and/or voice print analysis • SMS Text Message 1-way or 2-way – 1-way includes a one time pass code – 2-way requires user to reply with PIN • App – Available for iOS, Android, Windows Phone – Push notification triggers app to approve authentication attempt
- 18. User Registration • Phone numbers must be associated with each user to enable authentication • On-premises, phone numbers can be sourced from Active Directory or via end user self-service registration • In Windows Azure, phone numbers are currently sourced via end user self-service
- 19. Registration Portal • Cloud users can be prompted by Windows Azure to register their phone details • On-premises server includes an optional user registration portal – Populates the Windows Azure MFA server database
- 20. Registration Processes • Think about how you will get all of your users registered – MFA Server can be configured to automatically email new users • Azure MFA SDK can be used to build custom registration processes – You may not want to create an additional place for users to visit for IT services
- 21. Building Applications with the SDK • Web service enables developers to integrate with on-premises Azure MFA server • Typical scenarios include tightly integrating multi-factor authentication and building custom user management / registration portals
- 22. DEMO
- 23. Summary • Azure MFA is a simple and secure solution for protecting existing and new applications • Works with on-premises and cloud hosted applications • No expensive tokens or complex end user training is required
- 24. Questions?
- 25. Please evaluate the session before you leave
Editor's Notes
- First the user signs in from any device using their existing account credentials. If the user is signing into an on-premises application, the Multi-Factor Server that is installed at the customer’s site intercepts the authentication request. First it checks the username and password against the user directory. If the correct credentials are entered, a request is sent to the Multi-Factor Authenticationcloud service. The service sends the authentication request to the user’s phone. [click] Once the user has authenticated, they are instantly signed into the application. [click] The are a number of ways to configure the service to secure cloud apps. First, the on-premises multi-factor server can be used with Active Directory Federation Services or another SAML application for single sign in to cloud applications. [click] For apps that use Windows Azure Active Directory, the directory can call the Multi-Factor Authenticationcloud service directly. [click] Or developers can build multi-factor into their custom apps using one of the Software Development Kits.
- Convenience & SimplicityWith Multi-Factor Authentication from Windows Azure, there are no devices or certificates to purchase, provision, and maintain. It works with the user’s existing landline phone or mobile device.The authentication process is so simple. It takes just seconds and no special training is required. Unlike hardware tokens, users replace their own lost or broken phones.Users manage their own authentication methods and phone numbers, eliminating calls to your help desk for basic changes.Multi-Factor Authentication can synchronize with your existing Active Directory or LDAP directory and is built into Windows Azure Active Directory, so user management is centralized. Enrollment is fully automated. For on-premises identities, newusers can be prompted via an automated email to set up multi-factor using an on-premises web portal. For cloud identities, users are prompted to complete set up the next time they sign in. This allows for rapid deployment to large numbers of geographically dispersed users.Users get easy, anywhere access and you get a solution that’s easy to manage.ScaleThe service works out-of-the-box with a wide range of on-premises applications, such as remote access VPNs, web applications, virtual desktops, single sign-on systems and much more. This includes Microsoft systems like: Microsoft VPN/RRASRemote Desktop GatewayUniversal Access GatewayTerminal ServicesSharePointOutlook Web AccessAs well as third party VPNs and virtual desktop systems.The service supports federation to cloud services using Active Directory Federation Services as well as other SAML-based applications.It is built into Windows Azure AD and works instantly with any applications that use the directory. This includes:Office 365Dynamics CRM OnlineWindows Azure PortalWindows Intune3rd Party ApplicationsAnd applications that use the new Azure AD App Access capabilityA Software Development Kit is available for use with custom applications and directories.The reliable, scalable service supports high-volume, mission critical applications.SecurityIts out-of-band push, call, and text methods offer added protection against malware and man-in-the-middle attacks.If the user does not approve an authentication request when prompted or cannot be reached for authentication, access is denied. However, because the user’s credentials are verified before the Multi-Factor Authentication service is triggered, this is an indication that the user’s password has been compromised. In some cases, the user will have the option to submit a fraud alert during the authentication request. This will prevent further login attempts and sends a notification to your IT department. You can then work with the user to reset the user’s password. A PIN option where available offers an additional layer of security by requiring users to also enter a secret PIN to authenticate. Rules regarding PIN strength and expiration can be set by the admin. If a user’s PIN has expired, for example, they will be prompted the set a new PIN the next time they are prompted for multi-factor authentication.On-demand and scheduled reports are available for auditing of authentication requests. Multi-Factor Authentication enables compliance with NIST 800-63 Level 3, HIPAA, PCI DSS, and other regulatory requirements for multi-factor authentication.