Building Multi-Factor Authentication into Custom Apps (SDK)
Published: May 20, 2013
Updated: November 6, 2014
Azure Multi-Factor Authentication (formerly known as Azure Active Authentication or PhoneFactor) adds the security of multiple verification methods to the Azure Management Portal and to applications that you add to Azure Active Directory. Azure Multi-Factor Authentication supports verification using telephone calls, text messages, and mobile apps for Windows Phone, iOS, and Android devices, to supplement application sign-ins and transactions.
Administrators can configure Multi-Factor Authentication in the Active Directory section of the Azure Management Portal or configure it programmatically using the SDK. End-users can select a Multi-Factor Authentication method and enter their phone numbers in the "Additional Security Verification" pages in the Azure Management Portal and the Office 365 sign-in page, or in an application or identity provider sign-in page.
The topics in this section include:
Azure Multi-Factor Authentication allows you to add multiple authentication factors to the primary authentication strategy for applications in Azure AD. Multi-factor authentication requires users to verify their sign-in identity by responding to a telephone call, text message, or mobile app notification.
When implementing Multi-Factor Authentication, use the additional factors as secondary or tertiary verification to supplement your primary authentication method. These methods are not designed to be used as primary authentication methods.
Developers can use the Multi-Factor Authentication SDK to customize these basic verification options. The SDK does not support mobile app verification.
Automated telephone calls. Azure Multi-Factor Authentication can call any landline or mobile telephone. To complete the sign-in process, the user answers the call and presses the # key, or enters a pre-defined Personal Identification Number (PIN), and then presses the # key.
Text messages. Azure Multi-Factor Authentication can send an SMS text message with a one-time passcode to any mobile phone. To complete the sign-in process, the user is prompted to reply with the passcode or passcode and PIN, or to enter the passcode on an application sign-in screen.
|The SDK includes APIs for voice print verification, but this service is not offered in Azure AD. Attempts to use voice print verification generates errors.|
The Azure Multi-Factor Authentication Portal allows you to enable and configure Multi-Factor Authentication for the applications in your Azure AD tenant. The portal features include reporting, customizing voice greetings, setting a caller ID phone number, blocking and unblocking users, and allowing a one-time bypass for user authentication.
For more information, including instructions for using the portal features, see Azure Multi-Factor Authentication.
You can build Multi-Factor Authentication phone call and text message verifications directly into your application sign-in or transaction processes. The Azure Multi-Factor Authentication Software Development Kit (SDK) enables you to configure and customize Multi-Factor Authentication programmatically.
The Multi-Factor Authentication SDK is available for C#, Visual Basic (.NET), Java, Perl, PHP, and Ruby. The SDK includes everything you need to write your code, including commented source code files, a certificate and private key for encrypting transactions, example files, and a detailed ReadMe file. If you’re new to multi-factor authentication, take a few minutes to work through the examples and to review the conceptual topics in Azure Multi-Factor Authentication.
The structure of the APIs in the Multi-Factor Authentication SDK is quite simple. You make a single function call to an API with the multi-factor option parameters, such as the verification mode, and user data, such as the telephone number to call or the PIN number to validate. The APIs translate the function call into web services requests to the cloud-based Azure Multi-Factor Authentication Service. All calls must include a reference to the private certificate that is included in every SDK.
To download the Multi-Factor Authentication SDK, you must have a Azure subscription and a Azure AD tenant. Then, you must create a Azure Multi-Factor Authentication Provider, which allows you to use and be charged for the service.
The APIs in the Multi-Factor SDK support verification by telephone call and SMS text messages, but they do not support the Multi-Factor Authentication mobile apps.
Because the APIs do not have access to users registered in Azure Active Directory, you must provide user information, such as phone numbers and PIN codes, in a file or database. Also, the APIs do not provide enrollment or user management features, so you need to build these processes into your application.