This article is primarily targeted at Czech state institutions and is based on recommendations of the Czech authority. However,...
Azure MFA and authentication optionsLukas Beran
Multi-factor authentication (MFA) is a method to dramatically increase the security of a user identity. For multi-factor authentication, at least two independent authentication methods of the following three are required for successful user authentication:
- Something I know (typically username and password)
- Something I have (eg mobile phone, HW key, etc.)
- Something I am (biometric authentication – fingerprint, face scan, etc.)
At this time, user authentication based only on username and password cannot be considered sufficient security for the user’s identity. Users tend to use simple passwords that are somehow associated with them (pet name, partner name, date of birth, anniversary, name of organization they work for, etc.) to be easily remembered. Also, they typically use a single password across multiple accounts across multiple services to avoid having to remember many different passwords, which increases the risk of leakage.
Azure MFA is cloud multi-factor authentication from Microsoft. It is integrated with Azure AD, so it can be used for all Microsoft cloud services, including Office 365. Or, for example, for VPN (RRAS, Cisco ASA, etc.) or for the Remote Desktop Gateway. But more about it next time 🙂
Price of Azure MFA
Azure MFA does is not paid for the use of the service, but there is a regular monthly fee for users with no usage limit. You will receive Azure MFA for Office 365 services free of charge for all users who are assigned Office 365 under Security Defaults. The second option is to purchase Azure MFA under Azure AD Premium licenses, where you also get conditional access and other benefits. For global administrators, Azure MFA is completely free. The complete licensing options are described in the documentation.
Authentication options in Azure MFA
Azure MFA offers several user authentication options.
The user enters his / her phone number as authentication information and, when asked for multi-factor authentication, receives an incoming phone call. Pressing # on the keypad, he / she confirms the authentication.
The advantage of this method is simplicity and versatility. The user does not need a smartphone; in fact, a landline is sufficient. Neither does it need any internet connection on a mobile phone. On the other hand, roaming charges for incoming calls may be charged abroad. And from the security point of view, this is not an optimal method because phone calls are not encrypted, the phone call may be redirected, a new SIM may be issued to the given number, etc.
User enters his / her phone number as an authentication information. When requesting multi-factor authentication, the user will receive an SMS with 6 digit verification code, which the user types into the login screen.
The advantage is again simplicity and versatility. There is no need for a smart phone and theoretically, even a landline is sufficient if the PBX is able to read incoming messages. No internet connection required. However, the disadvantages are very similar to those of telephone calls, when it is not an optimal authentication method mainly from the security point of view.
Verification code from mobile app
If a user has a smartphone, they can install Microsoft Authenticator for iOS or Android. He / she then adds his account to this application (typically a QR code scan) for which verification codes will be generated. Microsoft uses the same method of generating verification codes (OTP = One-Time Password) as many other cloud services, so in fact it is not even necessary to use Microsoft Authenticator, but any other OTP-based authenticator (Google, Facebook, etc.) can be used. When requesting authentication, the user writes a 6-digit verification code from the application, which is regenerated every 30 seconds.
The disadvantage is that you need a smartphone with the app installed, and you need to retype the verification code every time you verify it. The advantage is that there is no need to connect to the Internet at the time of verification, there is no need to wait for a phone call or SMS code and from the security point of view it is a much secure method than the above mentioned phone calls or SMS. This is because verification codes are generated directly on the mobile phone and are not sent via any non-secure channels.
Push notifications in mobile app
Push notification in the mobile app requires the Microsoft Authenticator mobile app installed. This is my favorite method and I use it myself for verification because it is very convenient and yet secure. No other authentication application can be used for this verification option. The application is then paired again with the user account by scanning a QR code. When requesting authentication, the user receives a push notification on his / her mobile phone and just approves the request.
The downside is that you need a smart cell phone with an internet connection. Push notifications are sent to the mobile application from the Internet. The advantage is user comfort, because it is not necessary to copy any codes or wait and confirm phone calls, but just confirm the notification in the mobile phone. Another advantage is security because all communication is encrypted.
The HW authentication token is a new method that is available for user authentication in Azure AD. Specifically, this is FIDO2 authentication. A user pairs his / her FIDO2 device (typically a USB device similar to a flash drive) with his / her account and can then use the FIDO2 device to log on.
The advantage is very strong security. This is one of the few validation methods that has no known weaknesses, so it is the right way for high security requirements. Another advantage is that when authenticate via FIDO2, users do not have to enter either their user name or password. The user just enters the PIN used to secure the FIDO2 device, and then selects the account he wants to use to log in, and that’s it. The disadvantage is that a user must carry the FIDO2 device all the time and connect it to a computer for authentication.
Windows Hello for Business
Windows Hello for Business is a method that does not need to be specifically configured or explicitly mentioned from the end user perspective. Therefore, this method is not usually mentioned in any Azure MFA manuals or documentation. Windows Hello for Business is a method of multi-factor authentication because it combines something I have (my one specific computer I configured Windows Hello for Business on) and something I know (PIN) or something I am (biometrics).
If the user’s computer is in Azure AD (using Azure AD Hybrid join or Azure AD join) and Windows Hello for Business and Single-Sign On (SSO) works correctly and is configured correctly, the user receives a token that contains information that the user has been authenticated with MFA by Windows Hello for Business authentication, and MFA should no longer be required for cloud services.
When configuring authentication methods, the user can choose the default method that is automatically invoked when the authentication request is made. However, user can have multiple authentication methods set up, so if one method is unavailable, user may use another. This is useful, for example, when a user uses push notifications as the default method, but does not have a mobile Internet connection, so he / she can choose to send a code via SMS or use the mobile app code (OTP).