Azure B2C MFA with TOTP using Authenticator Splitting Enrollment & OTP Code

2 min read 05-10-2024
Azure B2C MFA with TOTP using Authenticator Splitting Enrollment & OTP Code


Simplifying Azure B2C Multi-Factor Authentication (MFA) with TOTP and Authenticator Splitting

Problem: Many organizations struggle to implement secure and user-friendly multi-factor authentication (MFA) for their applications. Azure B2C offers robust MFA capabilities, but the process can be complex.

Solution: Implementing MFA using Time-Based One-Time Passwords (TOTP) with authenticator splitting simplifies Azure B2C authentication and enhances security. This approach allows users to enroll their authenticator apps separately, ensuring they are in control of their security settings.

Scenario: Imagine a scenario where users need to access a sensitive application, like a financial platform, with Azure B2C. To enhance security, we want to enforce MFA using TOTP. However, we want to provide a user-friendly experience by allowing users to split their authenticator enrollment across multiple devices.

Original Code (Illustrative Example):

<!-- Azure B2C Policy Example (Illustrative) -->
<UserJourney>
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="Start" />
    <OrchestrationStep Order="2" Type="SendOTP">
      <ClaimsTransformation InputClaim="phoneNumber" OutputClaim="otpPhoneNumber" />
      <ClaimsTransformation InputClaim="email" OutputClaim="otpEmail" />
    </OrchestrationStep>
    <OrchestrationStep Order="3" Type="VerifyOTP" />
    <OrchestrationStep Order="4" Type="SendOTP" />
    <OrchestrationStep Order="5" Type="VerifyOTP" />
  </OrchestrationSteps>
</UserJourney>

Analysis:

  • Authenticator Splitting: Users enroll their authenticator app on their phone, and when prompted for MFA, they can choose to receive the OTP code on a different device, like their tablet or computer.
  • TOTP Implementation: This approach leverages the industry-standard TOTP algorithm, ensuring strong and time-sensitive security.
  • User Experience: Splitting the authenticator enrollment provides flexibility and ease of use, as users can choose the device most convenient for them.

Steps to Implement:

  1. Azure B2C Policy Configuration: Configure your Azure B2C policies to enable OTP-based MFA and specify the relevant authenticator-related claims.
  2. Authenticator App Integration: Users need to install a compatible authenticator app like Microsoft Authenticator or Google Authenticator on their desired devices.
  3. Enrollment Process: Users will be prompted to scan a QR code during the enrollment process, which links their authenticator app to their Azure B2C account.
  4. MFA Verification: When prompted for MFA, users can select the device where they want to receive the OTP code.

Benefits:

  • Enhanced Security: Authenticator splitting prevents attackers from compromising multiple devices simultaneously.
  • Improved User Experience: Users have greater control over their security and can choose the most convenient device for receiving OTP codes.
  • Simplified Management: This approach simplifies the MFA process, making it easier for both users and administrators.

Additional Considerations:

  • Security best practices: Ensure users understand the importance of safeguarding their authenticator apps and the devices they are enrolled on.
  • Backup options: Consider providing users with backup methods like email or SMS codes for situations where their primary device is unavailable.

Conclusion:

Implementing TOTP-based MFA with authenticator splitting in Azure B2C provides a robust and user-friendly approach to security. By allowing users to split their authenticator enrollment, we can enhance security while simplifying the authentication process, leading to a more secure and satisfying user experience.

Resources: