Authlogics for Azure and Office 365 Single Sign-On and Flexible MFA for the Microsoft Cloud Whitepaper Authlogics, 12 th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK Tel: +44 1344 568 900 US Tel: +1 857 214 2174 email: info@authlogics.com web: http://authlogics.com/
The information contained in this document represents the current view of Authlogics on the issues discussed as of the date of publication. Because Authlogics must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Authlogics, and Authlogics cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. AUTHLOGICS LTD MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS Document. Copyright 2017 Authlogics. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Page 1
Introduction Office 365 is a comprehensive suite of online and offline applications backed up by Azure Active Directory. As Azure and Office 365 provide access to and store confidential company information, it is critical to secure the access to them. Out of the box, Office 365 allows access via a username and password combination which is not very secure, especially since they are not protected by your perimeter network firewall and remote access controls. The Authlogics for Azure and Office 365 solution provides secure authenticated access from inside and outside the network to cater for a multitude of scenarios; be it Azure administrator access, Mobile device sync, Outlook client connectivity or simple browser access to OWA or SharePoint. How it fits together When a user logs into an Office 365 they are actually authenticated by Azure AD and that account is then used for access to Exchange Online, SharePoint Online, Skype for Business etc. When you first setup Office 365 you need to create user accounts (in Azure). They can be manually created via the Office 365 Portal browser interface or, more typically, they are synchronised from an On-Premise Active Directory with Microsoft s Azure AD Connect tool. Synchronisation is only half the story though as it simply sets up the user accounts in Azure, but how do you logon with the new accounts? The simple way to achieve this is to synchronise your On- Premise passwords to Azure (via Azure AD Connect); this makes it appear to users that they are logging on with their usual AD user account, even though in truth they being authenticated by Azure this is known as Same Sign-On. The more secure way is to let Azure / Office 365 authenticate your users directly with the On- Premise Active Directory using federation (via Microsoft ADFS) this is known as Single Sign-On. With this method, the users are actually logging on to your own local Active Directory and then a SAML token is provided to Azure and Office 365 for the user, allowing access to the cloud services seamlessly. Although the foundations have been laid, we are still relying on unsecure passwords to access the applications so we still need to add something stronger. Page 2
Authlogics Integration The Authlogics solution for Azure and Office 365 integrates directly with Microsoft ADFS as this provides the greatest level of control and covers the most use case scenarios for strong authentication. Not only do you reap the benefits of Single Sign-On to Azure, Office 365, and any other Cloud provider which supports SAML 2.0 (which is most of them), you can also decide which applications must use strong authentication and from where. Since there is an On-Premise Authentication Server working with ADFS, you can also use Authlogics with On-Premise services such as Network Access Control, VPN & Wireless access (RADIUS), or even to secure Windows Desktop logons. Directory Sync (1) User goes to the Office 365 sign-on page and enters their account name (6) If successful, redirect back to Office 365 and load the app Sign-On (2) User is redirected to the ADFS logon page and enters password Redirect Redirect back Authenticate (3) Authenticate the AD account DB access User (4) Authlogics Agent for ADFS requests One Time Code ADFS Authenticate (5) Authenticate the One Time Code Authlogics AUTHLOGICS ADFS AGENT WITH OFFICE 365 AUTHENTICATION WORKFLOW Page 3
Many factors to consider Authlogics goes beyond simply adding 2FA to Azure and Office 365. It provides 1.5 and 2 Factor Authentication options, via three authentication technologies (PINpass, PINphrase & PINgrid) and can be delivered via the Web, Mobile App, Email or SMS/TEXT. 1.5 Factor Our 1.5 Factor Authentication is a unique (and patented) One Time Code system that does not require a second physical device. While technically not as secure as 2FA, it is much quicker and less costly to deploy and more convenient to use while mitigating most of the security concerns associated with 1 Factor Authentication technologies (passwords). OFFICE 365 WEB BASED LOGON WITH AUTHLOGICS PINGRID AND 1.5 FACTOR AUTHENTICATION 2 Factor Strong 2 Factor Authentication is also available for higher security requirements. The primary delivery method of our 2FA is a soft token available on all major and minor mobile app stores for complete device coverage. The soft token works 100% offline and has no dependency on 3G or Wi-Fi which is critical for people on the move. Alternatively, users can receive tokens via Email or SMS/TEXT if they don t have the soft token installed. All these options can be configured on a peruser basis for control and flexibility. Got a device? Bring it! In the modern multi-platform ecosystems and the reality of BYOD, it is crucial to be able to support multiple types of devices running different operating systems. Authlogics provides seamless integration with all web browsers, desktop and mobile operating systems capable of working with Azure and Office 365. Page 4
Office 365 clients The client side of Office 365 is often overlooked but is vitally important. When you enable Multi Factor Authentication with Office 365 (from any vendor), by definition, you make a username and password only combination redundant. As such, any client application that asks for and remembers a password will no longer work. Microsoft has addressed this issue with Modern Authentication which is built into all the office desktop apps (Office 2013 and higher). When required, the office app, e.g. Outlook, will present a mini web browser view of a logon page allowing for a new logon process which includes Multi Factor Authentication. Once authentication is complete, an OAuth token is generated which the app uses to authenticate with the back-end services instead of a stored password. From a user s perspective, it is similar to how a Microsoft Account works with consumer based services. Modern Authentication is already built into many Microsoft applications including Outlook, Skype for Business, Active Sync and Workplace Join. WORKPLACE JOIN ON IPHONE 7 WITH AUTHLOGICS PINGRID AND 1.5 FACTOR AUTHENTICATION Page 5
Microsoft Multi-Factor Authentication Microsoft s MFA solution is primarily built around OATH which is a very well known One Time Pin standard used by most vendors (including Authlogics PINpass). It also supports Push notifications via a mobile app. Microsoft includes a limited version of their MFA solution (Multi-Factor Authentication for Office 365) with all Office 365 SKUs which covers some basic scenarios. Furthermore, Microsoft offer a more feature complete version of their MFA solution (Azure Multi-Factor Authentication) which is available as part of the more expensive Azure AD Premium and Enterprise Mobility Suite services. Multi-Factor Authentication for Office 365 is limited to Office 365 applications only and administered via the Office 365 portal, so if you require secure Single Sign-On to other cloud providers or On- Premise applications this is not an option. For those features you will need to upgrade (for a fee) to Azure Multi-Factor Authentication which gives you One-Time Bypass, reporting, and allows you to install an On-Premise server (essentially the recently purchased Phone Factor product). The down side to this is that you need to administer the On-Premise and Cloud offerings separately as there is no integration. Feature \ Solution Authlogics Azure MFA MFA for O365 Multiple authentication technologies 1.5 Factor Authentication option Mobile App token Real-Time SMS token delivery Pre-Send SMS token delivery Email token delivery 3 rd Party Cloud support On-Premise app support Self Service AD password reset Emergency Bypass Codes Reporting 2FA PIN option Authentication SDK Web API (100% automation) Uses AD as a database (no syncing) AUTHLOGICS VS MICROSOFT MFA OFFERINGS Page 6
About Authlogics Authlogics provides IT security professionals with a fresh alternative to legacy authentication and transaction verification methods. We help companies remove the reliance on password-based authentication and hardware tokens, and encourage the use of self service capabilities. We eliminate costs and administration surrounding card readers and keyring tokens, and innovate without the need to implement expensive biometrics. Whether you want to authenticate to a Web portal, VPN, firewall, or to a multitude of different Cloud providers, Authlogics offers a range of authentication methods to suit your business. Our solution provides 1.5, 2 and 3 Factor Authentication options, via three authentication technologies (PINpass, PINphrase & PINgrid) and can be delivered via the Web, Mobile App, Email or SMS/TEXT. Additionally, we have several integration agents for various 3 rd party systems should you need them. PINgrid PINgrid is an award-winning and patented multi-factor authentication and transaction signing solution that is being used in the public and private sector today to transform any mobile device into a soft-token, via a simple offline application, replacing passwords with a memorable pattern that automatically generates a One Time Code (OTC). PINphrase PINphrase is a memorable word technology where users are asked for random letters from answers they already know to log in, instead of providing a full password. PINphrase is the only off-the-shelf solution that delivers this type of technology used by many banks we web sites. PINpass PINpass is a 2 and 3 Factor OATH compliant 6-8 digit random code solution. This standard is widely adopted by many vendors and is well trusted. PINpass turns a mobile device into a token via an App or by sending an OTP via SMS or e-mail. Like most OATH solutions, PINpass works with a fixed PIN code which must be remembered, however it can also be used with an AD password or work in PINless mode. Page 7