On-Premises Application – MFA as built-into the application
To perform a multi-factor authentication for on premise applications, you need your application to redirect authentication to a service (MFA service) that will authenticate users by username and password, and by using the user’s mobile phone as a second factor authentication.
Dual Factor support is out of the box in .NET provided you use the Identity Framework (for SQL Membership provider, it is much harder to do Dual Factor, and it is not considered ‘Out of the box’, see comparison at the end of this article).
If you plan on using either TEXT (SMS) or Email based notifications for the second factor, you have to write just a little bit of code to get it all working.
SMS? Email? How about BOTH? Offer the user a dropdown allowing them to select what method they want to use:
If a user tries to login you need to make sure they are a VerifiedUser. If not, get a valid two factor provider and send them a code to validate. In this case, since there are two providers to choice from, I let them pick from a dropdown.
On-Premises Application –Move the SECOND FACTOR to the Cloud
Although the ‘built in’ approach seems to be a very effective solution, it introduces another problem. The IT administrators need to install and deploy the MFA service on premise, worry about how this service can contact the user’ mobile device for second factor authentication, and to make sure this service is always available. While the support in .NET is excellent for the basic types of second factor notification, it still ties you down to the single application that is coded to use MFA. If, for example, you also want to use the same DFA for your VPN access, you would be out of luck.
The solution is to introduce a layer of abstraction. Move the MFA service to the cloud and use the MFA part as an offered cloud service. Your application will contact a cloud service for a second factor authentication, the cloud service will take over the task of contacting the user mobile number and getting response back, and finally the cloud service will return to your application with a response (success/failure).
A solution that works for all applications
These applications can be your VPN server, your RDS farm, your IIS portals or any other service.
How does it work?
Corporate applications that require multi-factor authentication will proxy any authentication request to the on premise MFA server. The MFA on premise server will contact your Active Directory or any LDAP directory on premise to check if the first factor authentication (username and password) is correct. If and only if the first factor authentication is successful, then the MFA on premise server will connect to Azure services asking it to do the second factor authentication via the user’s mobile phone. This can be a phone call, an SMS message, or a push notification using Azure MFA mobile App. Azure MFA is the level of abstraction that it provides. Your applications will do the first factor authentication using username or password perhaps, and then offload the second factor authentication to Azure MFA services. You can configure each user with his preferable second factor authentication method. One use can choose a phone call as his second factor authentication where another may choose the mobile app.
Integrate with existing AD
Automate enrollment by integrating with your existing Active Directory.
Real Time Fraud Alerts, Reports
Some additional freebies that you get with Azure MFA include Real Time Fraud alerts and advanced reporting and intelligence around user authentication.