Building Multi-Factor Authentication into Custom Apps (SDK)
Published: May 20, 2013
Updated: January 28, 2014
Windows Azure Multi-Factor Authentication (formerly known as Windows Azure Active Authentication or PhoneFactor) adds the security of multiple verification methods to the Windows Azure Management Portal and to applications that you add to Windows Azure Active Directory. Windows Azure Multi-Factor Authentication supports verification using telephone calls, text messages, and mobile apps for Windows Phone, iOS, and Android devices, to supplement application sign-ins and transactions.
Administrators can configure Multi-Factor Authentication in the Active Directory section of the Windows Azure Management Portal or configure it programmatically using the SDK. End-users can select a Multi-Factor Authentication method and enter their phone numbers in the "Additional Security Verification" pages in the Windows Azure Management Portal and the Office 365 sign-in page, or in an application or identity provider sign-in page.
The topics in this section include:
About Multi-Factor Authentication
Windows Azure Multi-Factor Authentication allows you to add multiple authentication factors to the primary authentication strategy for applications in Windows Azure AD. Multi-factor authentication requires users to verify their sign-in identity by responding to a telephone call, text message, or mobile app notification.
When implementing Multi-Factor Authentication, use the additional factors as secondary or tertiary verification to supplement your primary authentication method. These methods are not designed to be used as primary authentication methods.
Developers can use the Multi-Factor Authentication SDK to customize these basic verification options. The SDK does not support mobile app verification.
Automated telephone calls. Windows Azure Multi-Factor Authentication can call any landline or mobile telephone. To complete the sign-in process, the user answers the call and presses the # key, or enters a pre-defined Personal Identification Number (PIN), and then presses the # key.
Text messages. Windows Azure Multi-Factor Authentication can send an SMS text message with a one-time passcode to any mobile phone. To complete the sign-in process, the user is prompted to reply with the passcode or passcode and PIN, or to enter the passcode on an application sign-in screen.
|The SDK includes APIs for voice print verification, but this service is not offered in Windows Azure AD. Attempts to use voice print verification generates errors.|
About the Multi-Factor Authentication Portal
The Windows Azure Multi-Factor Authentication Portal allows you to enable and configure Multi-Factor Authentication for the applications in your Windows Azure AD tenant. The portal features include reporting, customizing voice greetings, setting a caller ID phone number, blocking and unblocking users, and allowing a one-time bypass for user authentication.
For more information, including instructions for using the portal features, see Windows Azure Multi-Factor Authentication.
About the Multi-Factor Authentication SDK
You can build Multi-Factor Authentication phone call and text message verifications directly into your application sign-in or transaction processes. The Windows Azure Multi-Factor Authentication Software Development Kit (SDK) enables you to configure and customize Multi-Factor Authentication programmatically.
The Multi-Factor Authentication SDK is available for C#, Visual Basic (.NET), Java, Perl, PHP, and Ruby. The SDK includes everything you need to write your code, including commented source code files, a certificate and private key for encrypting transactions, example files, and a detailed ReadMe file. If you’re new to multi-factor authentication, take a few minutes to work through the examples and to review the conceptual topics in Windows Azure Multi-Factor Authentication.
The structure of the APIs in the Multi-Factor Authentication SDK is quite simple. You make a single function call to an API with the multi-factor option parameters, such as the verification mode, and user data, such as the telephone number to call or the PIN number to validate. The APIs translate the function call into web services requests to the cloud-based Windows Azure Multi-Factor Authentication Service. All calls must include a reference to the private certificate that is included in every SDK.
To download the Multi-Factor Authentication SDK, you must have a Windows Azure subscription and a Windows Azure AD tenant. Then, you must create a Windows Azure Multi-Factor Authentication Provider, which allows you to use and be charged for the service.
The APIs in the Multi-Factor SDK support verification by telephone call and SMS text messages, but they do not support the Multi-Factor Authentication mobile apps.
Because the APIs do not have access to users registered in Windows Azure Active Directory, you must provide user information, such as phone numbers and PIN codes, in a file or database. Also, the APIs do not provide enrollment or user management features, so you need to build these processes into your application.