Simple OTP verification - Azure Multi Factor Authentication Provider

Have you ever run into a situation where you need to apply an additional layer of security on certain areas of your application (web and mobile both)? If you look at most of the applications that are available today, they tend to use "Multi Factor Authentication" for similar objective, but during authentication process. One way of implementing MFA is to SMS a one time use password/phrase to user's registered mobile phone number and have user enter that value. Quite familiar, isn't it?

Imagine if you had a similar requirement where you have already authenticated the user but you want the user to go through another verification process before letting them perform some action - this is really not a user authentication process but additional security for whatever he/she is going to do next (e.g. Change Password?, Remove Account? etc.). One Time Password is common utility for such scenario as well.

Let us have a look at Multi Factor Authentication Provider Service available in Microsoft Azure and how to use that to achieve the specific scenario.

You can create a stand alone "MFA Provider" in Azure.

You can choose to associate the MFA provider to an Azure Active Directory if you like. In my scenario, I did not associate it with an AAD. Please do note that this setting can not be modified later, so do give this a thought.

You are now all set to integrate the OTP feature in your application.

Click the "Manage" link.

It opens up another portal where you can configure multiple properties of the MFA server (including the audio message that user would hear when they get a phone call if we use phone call verification). Amount of modification to the out of the box functionality is totally up to you to decide. I would not delve into that in this post.

Click on SDK link. It would open up a page which gives away the standard SDKs that you can use for interacting with the MFA provider you created. Each download has a specific certificate associated with it - therefore if you want to reuse it for other MFA providers, ensure that you have the right certificate.

I downloaded the ASP.NET 2.0 C# version. It is a website. You can open it in visual studio.

The version I downloaded gave me compilation errors as it was not able to identify the highlighted file part of solution.

There can be n reasons of why it was not working - I just took the short route of copying the file content into "example.aspx.cs" file and excluding the highlighted file. Since the source code uses a hard coded path "C:\\cert_key.p12" for locating the certificate file, I (being lazy) copied the file to C:\ and ran the application. You can change the path as per your liking.

Once you run the solution, it opens a test page that lets you test out different capabilities of MFA provider. In this case I am interested in verifying the OTP functionality.

If you are not in USA, it would not work out of the box as country code "1" is hard coded in the SDK code :). You can modify the country code in the class "PfAuthParams".

When testing the app, enter your phone number without country code. If you want to debug, put a break point at "pf_authenticate_internal" function.

"get_response_status" function returns the value of OTP sent to the end user. Your application can store that and compare that against the user entered value for OTP. Easy, right!!

Of course, there are better ways to do this. This is just one simple way to achieve this. Good thing is that you do not have procure a MFA server and you pay for the number of authentication (or number of users) your application goes through.