Thursday, February 16, 2017

Azure MFA Server–Authentication Types (Part I)

Azure MFA Server–Authentication Type (Part I)

Azure MFA Server–Authentication Type (Part II)

Original post - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

The Microsoft Azure Multi-Factor Authentication (MFA) provides various authentication types when using an on-premises MFA server.  The Company Settings section allows the Multi-Factor Authentication (MFA) administrator to define company wide settings for all users. 

image

The administrators can also make (or override)  individual user configuration from User Section.  

image

An end user can make their own sections from the the User Portal.

image

In general, the following authentication modes are available when using an on-premises MFA server. The purpose of this blog is to explain each of these authentication types and expected result with screenshots.  

  1. Phone call (Standard)
  2. Phone call (PIN)
  3. Text message (One-way OTP)
  4. Text message (Two-way OTP)
  5. Text message (One-way OTP + PIN)
  6. Text message (Two-way OTP + PIN)
  7. Azure Authenticator application (Standard)
  8. Azure Authenticator application (PIN)
  9. Azure Authenticator application (OATH token)
  10. Third Party OATH token

We will start with standard Phone Call option.  The Phone call authentication type has two sub options:

  1. Phone call (Standard)
  2. Phone call (PIN)

Authentication Type : Phone Call – Standard

image

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on the phone call as shown below:

image

The first authentication is based on the configuration in MFA.  For example, for RADIUS, you an select  the following options from the Target tab:

image

The “from” telephone number can be customized from azure console (https://manage.windowsazure.com/ –> Active Directory –> Configure –>Multi-factor Authentication –> Manage Service Settings –>  Go to the Portal –> Configure –> Settings –> General Settings –> Caller ID Phone Number) as shown below:

image

Also, the Voice Messages can be customized based on your requirements. This option is available in https://manage.windowsazure.com/ –> Active Directory –> Configure –>Multi-factor Authentication –> Manage Service Settings –>  Go to the Portal –> Configure –> Voice Message section. 

image

Authentication Type : Phone Call – PIN

In this scenario, we will use Phone call with PIN option. 

image

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on the phone.  During the phone call, MFA will ask you to enter a personalized PIN. 

image + image

The PIN creation and enforcement is based on the following configuration in user section. 

image

You also have an option in Company Settings section to enforce default PIN rules as shown below:

imageThe next authentication type is Text message.  Text Message type has four sub options:

  1. Text message (One-way OTP)
  2. Text message (Two-way OTP)
  3. Text message (One-way OTP + PIN)
  4. Text message (Two-way OTP + PIN)

Authentication Type : Text message - One-way OTP

image

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on  a text message containing a One-Time Passcode (OTP) is sent to the user as shown below:

image

The user must enter this  One-Time Passcode (OTP) in the respective application to complete the authentication request.   You application must support Challenge – Response (Authentication Chaining). 

image

Authentication Type : Text message – Two-way OTP

image

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on  a text message containing a One-Time Passcode (OTP).   The user must reply to the same  text message by entering the provided OTP to complete the authentication request as shown below:

image

Authentication Type : Text message - One-way OTP  + PIN

image

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on  a text message containing a One-Time Passcode (OTP) is sent to the user as shown below:

image

This One-Time Passcode (OTP) + PIN needs to be entered in the application to complete the authentication request.   

image

The PIN values is based on the configuration in the user or Company Settings:

User settings:

image

Company Settings:

image

Authentication Type : Text message – Two-way OTP  + PIN

image

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on  a text message containing a One-Time Passcode (OTP) + PIN.   The user must reply to the same  text message by entering the provided OTP + their personal PIN to complete the authentication request as shown below:

image

I believe we have enough information and  screenshots for this blog Smile. I will cover the following authentication types in the Part-II of this blog:

  1. Azure Authenticator application (Standard)
  2. Azure Authenticator application (PIN)
  3. Azure Authenticator application (OATH token)
  4. Third Party OATH token

 

Azure MFA Server–Authentication Type (Part I)

Azure MFA Server–Authentication Type (Part II)

0 comments:

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More