Venez découvrir Windows Azure Multi-Factor Authentification (ex-PhoneFactor) et comment il est devenu simple d'ajouter un second facteur d'authentification pour vos services en ligne (Windows Azure, Office 365 et Dynamics CRM Online existants) ou vos solutions internes, en quelques clics seulement. Le second facteur peut être désormais un simple appel téléphonique, un SMS, une application mobile, …
Speakers : Alexandre Giraud (3SR), Thomas Varlet (Microsoft), Philippe Beraud (Microsoft)
Windows Azure Multi-Factor Authentication, presentation et cas d’usage
1.
2. Windows Azure
Multi-Factor Authentication
présentation et cas d’usage
Alexandre Giraud | 3SR
Philippe Beraud | Microsoft France
Thomas Varlet | Microsoft France
b-alexg@microsoft.com, @Alex_Giraud
philippe.beraud@microsoft.com, @philberd
thomas.varlet@microsoft.com, @TomtomAtMs
Sécurité
3. Donnez votre avis !
Depuis votre smartphone sur :
http://notes.mstechdays.fr
De nombreux lots à gagner toute les heures !!!
Claviers, souris et jeux Microsoft…
Merci de nous aider à améliorer les TechDays !
#mstechdays
Sécurité
4. Objectifs de notre session
Disposer d’une meilleure compréhension :
• De l'importance du rôle que joue l'authentification multi-facteurs
dans la sécurisation des applications et des données
• Des principaux avantages et fonctionnalités de Windows Azure
Multi-Factor Authentication (MFA)
• De la façon dont l'authentification multi-facteurs prends en charge
les scénarii cloud, à demeure et hybrides
#mstechdays
Sécurité
5.
6. Qu’est-ce que l’authentification multifacteurs ?
Deux des facteurs suivants :
Quelque chose que vous connaissez : un mot de passe ou un code PIN
Quelque chose que vous avez : un téléphone, une carte de crédit ou un jeton matériel
Quelque chose qui vous caractérise : une empreinte digitale, une empreinte rétinienne ou
tout autre élément de biométrie
Plus forte en utilisant deux canaux différents (hors bande).
7. Qu’est-ce que Windows Azure Multi-Factor Authentication ?
Fondé sur la technologie
PhoneFactor
• Une acquisition de Microsoft en 2012
• Reconnue par des milliers d'entreprises pour
authentifier les accès de leurs collaborateurs,
partenaires et clients
Sécurise les applications et les
identités dans le cloud et à demeure
8. Quelle est l’expérience utilisateur ?
*MFA Server uniquement aujourd’hui
#mstechdays
Sécurité
13. Aucun appareils ou certificats à acquérir,
peupler, et maintenir
Aucune formation des utilisateurs n’est
nécessaire
Les utilisateurs remplacent leurs propres
téléphones perdus ou cassés
Les utilisateurs gèrent leurs propres numéros
de téléphone et les méthodes d'authentification
associées
Intégration avec le référentiel existant pour une
gestion centralisée des utilisateurs et un
enrôlement automatisé
15. Fonctionne avec les principales applications et
services à demeure
Prends en charge AD FS ainsi que les
applications basées sur SAML (pour la
fédération vers le Cloud)
Directement intégré avec Windows Azure
Active Directory pour une utilisation avec des
applications cloud
SDK pour l’intégration avec les annuaires et les
applications personnalisées
Un service fiable et évolutif pour prendre en
charge des scénarii critiques pour l’entreprise
avec une volumétrie élevée
16. INTÉGRATION AVEC AD FS A
DEMEURE
Pour l’accès sécurisé aux ressources Cloud
#mstechdays
Sécurité
Design/UX/UI
18. SÉCURISATION DES
APPLICATIONS ET DES
Utilisation du SDK* avec une application PHP
PROCESSUS MÉTIER
*SDK disponible pour .NET, Java, PHP, Perl et Ruby
#mstechdays
Sécurité
Design/UX/UI
19. Authentification forte multi-facteurs
Alerte à l’usage frauduleux en temps réel
Option code PIN
Journalisation et reporting à des fins d’audit
Permet la conformité avec NIST 800-63 niveau
3, HIPAA, PCI DSS, et d’autres exigences
réglementaires
21. Tarifs et disponibilité
Offre autonome Windows Azure MFA
• Comprends le service Windows Azure MFA, MFA Server, SDK,
etc.
• 1,5 € par utilisateur – ou – 1,5 € pour 10 authentifications
• Disponible dans AD, AD FS, et Windows Azure AD pour améliorer
la sécurité d’accès à une grande variété d’applications à demeure
et dans le Cloud
• Disponible pour les accès VPNs, les sessions à distance, les
applications Web et les applications personnalisées
• Actuellement hébergé dans les centres de données aux EtatsUnis, en cours d’extension à l’Europe
#mstechdays
Sécurité
22. Tarifs et disponibilité
Offre MFA pour Office 365
• Incluse dans le SKU Office 365
• Gratuit pour les administrateurs…
• …et désormais pour les utilisateurs Office 365 !
• Pour sécuriser les ressources Office 365 uniquement
#mstechdays
Sécurité
23. Windows Azure MFA vs. MFA pour Office 365
Les administrateurs peuvent activer/appliquer MFA aux utilisateurs finaux
Utilisation de l’App mobile (notifications et OTP) comme second facteur
Utilisation d’appel téléphonique comme second facteur d’authentification
Utilisation de SMS comme second facteur d’authentification
Mots de passe applicatif pour les clients riches (par ex. Outlook, Lync)
Message vocal Microsoft lus pendant un appel MFA
Messages vocaux personnalisés lus pendant un appel MFA
Alerte fraude
Kit de développement logiciel (SDK) MFA
Rapports de sécurité
MFA pour les applications à demeure/ MFA Server.
Contournement à usage unique
Bloquer/Débloquer des utilisateurs
Numéro de téléphone de l’ID de l’appelant personnalisable
Confirmation d’évènement
24. En guise de conclusion
Rappel des objectifs de notre session : Disposer d’une meilleure compréhension
:
•
•
•
De l'importance du rôle que joue l'authentification multi-facteurs dans la
sécurisation des applications et des données
Des principaux avantages et fonctionnalités de Windows Azure MFA
De la façon dont l'authentification multi-facteurs prends en charge les scénarii
cloud, à demeure et hybrides
Windows Azure MFA peut vous aider à atteindre vos
objectifs en matière de sécurité et de conformité !
Ajouter un second facteur d’authentification à vos
applications à demeure et dans le Cloud n’a jamais été
#mstechdays
aussi facile :)
Sécurité
25. Livres blancs et guides Etape-par-Etape
Leverage Windows Azure
Multi-Factor Authentication
with Windows Azure AD
Leverage Windows Azure
Multi-Factor Authentication
Server for Windows Azure
AD single sign-on with AD FS
27. Testez dès maintenant Windows Azure
!
Partenaires :
MSDN :
http://aka.ms/MSDN/Avantages/A
bo
150€ de
ressources
http://aka.ms/Azure/Partn
er
Poursuivez la
discussion
"
http://aka.ms/free/tri
al
Multi-factor authentication, also commonly referred to as two-factor authentication, is a best practice for securing user access. It works by requiring any two or more of the following:• Something you know (typically a password); • Something you have (a trusted device that is not easily duplicated); or • Something you are (biometrics); and• It is stronger when factors are verified using distinct (or out-of-band) channels. The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. On the other hand, if the user happens to lose the device, the finder of that device won’t be able to use it unless he or she also knows the user’s password.The most common multi-factor methods include hardware tokens like RSA SecurID, certificates, smartcards, and increasingly phone-based authentication methods, which leverage the user’s telephone as the trusted device for the second factor of authentication.
Windows Azure Multi-Factor Authentication is powered by the market-leading PhoneFactor service acquired by Microsoft in 2012. The service is trusted by thousands of enterprise customers, healthcare organizations, banking and financial services companies, as well as government agencies at the state, local and federal level. The service authenticates millions of logins and financial transaction around the globe each month. It is battle tested and enterprise-ready. While Multi-Factor Authentication is part of the Windows Azure family and is powered by a cloud service, it is often deployed to secure on-premises applications in conjunction with an on-premises directory like Windows Server Active Directory. It supports on-premises, cloud, and hybrid scenarios.
Multi-Factor Authentication offers the additional security you demand using the phones your users already carry. Multiple phone-based authentication methods are available, allowing users to choose the one that works best for them. And, support for multiple methods ensures additional authentication is always available.Multi-FactorAuthentication apps are available for Windows Phone, iOS phones and tablets, and Android devices. Users download the free app from the device store and activate it using a code provided during set up. When the user signs in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cell or Wi-Fi access is required. For offline authentication, the app works like a software token to generate a one-time passcode that is entered during sign in. The one-time-passcode method is comparable to software or soft tokens solutions offered by vendors like RSA and Gemalto.Automated phone calls are placed by the Multi-Factor Authentication service to any phone, landline or mobile. The user simply answers the call and presses # on the phone keypad to complete their sign in.Text messages are sent by the Multi-Factor Authentication service to any mobile phone. The text message contains a one-time passcode. The user is prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.
First the user signs in from any device using their existing account credentials. If the user is signing into an on-premises application, the Multi-Factor Server that is installed at the customer’s site intercepts the authentication request. First it checks the username and password against the user directory. If the correct credentials are entered, a request is sent to the Multi-Factor Authenticationcloud service. The service sends the authentication request to the user’s phone. [click] Once the user has authenticated, they are instantly signed into the application. [click] The are a number of ways to configure the service to secure cloud apps. First, the on-premises multi-factor server can be used with Active Directory Federation Services or another SAML application for single sign in to cloud applications. [click] For apps that use Windows Azure Active Directory, the directory can call the Multi-Factor Authenticationcloud service directly. [click] Or developers can build multi-factor into their custom apps using one of the Software Development Kits.
Security is often at odds with simplicity, but Windows Azure Multi-Factor Authentication affords you the benefit of both security AND convenience. As more enterprise workloads move to the cloud and organizations build cloud-based applications for partners and customers, multi-factor will be required for a growing number of employees, partners, and customers to secure a growing number of applications. Systems that are cumbersome to set up, manage, and use simply won’t scale to meet this demand. Windows Azure Multi-Factor Authentication offers simple set up, centralized user management, and an easy-to-use form factor so it can be quickly enabled for large numbers of users and applications. The service is backed by a robust, scalable service that is ready to support your enterprise today and in the future.
Traditionally, strong authentication has been time consuming to deploy and has required significant ongoing resources to support. And it was a hassle for users who had to carry extra devices or whose access was limited to computers with smartcard readers or that had certificates installed. With Multi-Factor Authentication from Windows Azure, there are no devices or certificates to purchase, provision, and maintain. It works with the user’s existing landline phone or mobile device.The authentication process is so simple. It takes just seconds and no special training is required. Unlike hardware tokens, users replace their own lost or broken phones.Users manage their own authentication methods and phone numbers, eliminating calls to your help desk for basic changes.Multi-Factor Authentication can synchronize with your existing Active Directory or LDAP directory and is built into Windows Azure Active Directory, so user management is centralized. Enrollment is fully automated. For on-premises identities, newusers can be prompted via an automated email to set up multi-factor using an on-premises web portal. For cloud identities, users are prompted to complete set up the next time they sign in. This allows for rapid deployment to large numbers of geographically dispersed users.Users get easy, anywhere access and you get a solution that’s easy to manage.
Windows Azure Multi-Factor Authentication scales to support the needs of all of your users and applications.The service works out-of-the-box with a wide range of on-premises applications, such as remote access VPNs, web applications, virtual desktops, single sign-on systems and much more. This includes Microsoft systems like: Microsoft VPN/RRASRemote Desktop GatewayUniversal Access GatewayTerminal ServicesSharePointOutlook Web AccessAs well as third party VPNs and virtual desktop systems.The service supports federation to cloud services using Active Directory Federation Services as well as other SAML-based applications.It is built into Windows Azure AD and works instantly with any applications that use the directory. This includes:Office 365Dynamics CRM OnlineWindows Azure PortalWindows Intune3rd Party ApplicationsAnd applications that use the new Azure AD App Access capabilityA Software Development Kit is available for use with custom applications and directories.The reliable, scalable service supports high-volume, mission critical applications.
The Multi-Factor Authentication service offers strong protection against even the most sophisticated attacks. Its out-of-band push, call, and text methods offer added protection against malware and man-in-the-middle attacks.If the user does not approve an authentication request when prompted or cannot be reached for authentication, access is denied. However, because the user’s credentials are verified before the Multi-Factor Authentication service is triggered, this is an indication that the user’s password has been compromised. In some cases, the user will have the option to submit a fraud alert during the authentication request. This will prevent further login attempts and sends a notification to your IT department. You can then work with the user to reset the user’s password. A PIN option where available offers an additional layer of security by requiring users to also enter a secret PIN to authenticate. Rules regarding PIN strength and expiration can be set by the admin. If a user’s PIN has expired, for example, they will be prompted the set a new PIN the next time they are prompted for multi-factor authentication.On-demand and scheduled reports are available for auditing of authentication requests. Multi-Factor Authentication enables compliance with NIST 800-63 Level 3, HIPAA, PCI DSS, and other regulatory requirements for multi-factor authentication.
The above papers are available on the Microsoft Download Center:Active Directory from the on-premises to the Cloud: http://www.microsoft.com/en-us/download/details.aspx?id=36391 Office 365 Single Sign-On with AD FS 2.0: http://www.microsoft.com/en-us/download/details.aspx?id=28971Office 365 Single Sign-On with Shibboleth 2.0: http://www.microsoft.com/en-us/download/details.aspx?id=35464Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure: http://www.microsoft.com/en-us/download/details.aspx?id=38845