I’ve written about the Multi-Factor Authentication server quite extensively. I’ve been pretty content with text messages for authentication, but since DRAFT NIST Special Publication 800-63B, Out-of-Band (OOB) using the PSTN (SMS or voice) is deprecated (ref 188.8.131.52) I’ve been taking a closer look at the Microsoft Authenticator app.
Microsoft’s on-premises Multi-Factor Authentication Server and the accompanying Azure MFA Service, luckily, supports more authentication methods, besides voice calls and text messages (in random order):
- Phone call
- Two-way SMS
- Two-way SMS with PIN
- One-way SMS
- One-way SMS with PIN
- OATH token
- Mobile App
I’ve done an extensive review of the pros and cons of each authentication method, so I decided to take a closer look at the Mobile App, especially, since Microsoft has put quite some work in it recently.
To this purpose, I added the Multi-Factor Authentication Mobile Portal to an existing Multi-Factor Authentication Server implementation.
I then logged on to the Multi-Factor Authentication User Portal with a user account, performed the second authentication method assigned to the user account and choose Activate Mobile App from the menu in the left pane.
After I hit the Generate Activation Code and scanned the barcode with my phone, the app responded with an error:
The remote server returned an error: NotFound
The existing Multi-Factor Authentication Server implementation, I reused to this purpose, uses a TLS certificate that was issued by a private Certification Authority (CA).
Although the root certificate was added to the certificate store of the phone and any desktops with the root certificate installed gain access to the Mobile Portal without problems, the certificate will not work on phones.
To make the Microsoft Authenticator app work, use a publicly trusted TLS certificate with your Multi-Factor Authentication (MFA) Server Mobile Portal(s).
Choosing the right Azure MFA authentication methods
Microsoft Authenticator – One easy-to-use app for all your MFA needs
Time is running out for this popular online security technique