TOTP globally available for Azure AD B2C

Posted by Harri Jaakkonen Posted on 17/08/2022 0 Comments on TOTP globally available for Azure AD B2C
Posted in Azure, Azure B2B, Azure B2C, Conditional access, Identity, Identity Platform, Microsoft Graph, Powershell, Security

I wrote before a post about B2C in general, how to use our own custom domain thru Azure Front door and how to use custom policies.

I prefer that you read these out to get clearer picture of B2C functionality. There is still lot more to cover but it’s a start.

What is Azure B2C and how to use it?
Azure B2C is a authentication portal for social, personal and corporate accounts. The authentication is based on OpenID Connect. You can modify the login pages, add identity providers, give all Azure AD tenants the right to login thru your tenant. There is wide range of possibilities with it but first about the authentication and then […]
Read More
www.cloudpartner.fi
Azure B2C with AFD and custom domain(s)
Be default Azure B2C comes with onmicrosoft.com login url. If you want to change it, you have to make use of custom domains via Azure Frontdoor. How to? Microsoft has an excellent article to establish this requirement. In the article it’s stating that all the subdomains have to be registered to the tenant also. Here […]
Read More
www.cloudpartner.fi
What is Azure B2C and how to use custom policies?
Azure B2C is a authentication portal for social, personal and corporate accounts. The authentication is based on OpenID Connect. You can modify the login pages, add identity providers, give all Azure AD tenants the right to login thru your tenant. There is wide range of possibilities with it but first about the authentication and then […]
Read More
www.cloudpartner.fi

So, now you know it all, right? Maybe not but you should. B2C is a really powerful tool for external multi-tenant, single-tenant application publishing and can be used with Social accounts also.

But now to the main topic of this post.

B2C TOTP (Time-based One-time Password)

Why to use?

Integrating a time-based OTP with an authenticator app as a second factor in B2C scenarios user flows enables a higher level of security compared to existing email and phone factors.

OTP was already enabled for majority of tenants in January 2022

Mandatory one-time password is coming, are you ready?
Microsoft has statement in the in their docs saying. “Starting November 1, 2021, we’ll begin rolling out a change to turn on the email one-time passcode feature for all existing tenants and enable it by default for new tenants. At that time, Microsoft will no longer support the redemption of invitations by creating unmanaged (“viral” […]
Read More
www.cloudpartner.fi

What is the difference with OTP and TOTP?

In order to authenticate a transaction or grant access to an account, a one-time password (OTP) is generated at random and sent to the registered phone number or email on file with the recipient. OTPs typically last between 5 and 10 minutes, as opposed to a TOTP, which is only valid for 30 to 60 seconds. A TOTP is produced in a mobile app instead of being delivered to you like an OTP is.

What is TOTP?

OATH TOTP (Time-based One Time Password) is an open standard that specifies how one-time password (OTP) codes are generated. OATH TOTP can be implemented using either software or hardware to generate the codes.

OATH software tokens

Software OATH tokens are typically applications such as the Microsoft Authenticator app and other authenticator apps. Azure AD generates the secret key, or seed, that’s input into the app and used to generate each OTP.

The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup even if their device doesn’t have connectivity. Third-party applications that use OATH TOTP to generate codes can also be used.

How to enable TOTP with custom policies?

Set multifactor authentication

To enable multifactor authentication, get the custom policy starter pack from GitHub as follows:

  • Download the .zip file or clone the repository from https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack, and then update the XML files in the SocialAndLocalAccountsWithMFA starter pack with your Azure AD B2C tenant name. The SocialAndLocalAccountsWithMFA enables social and local sign in options, and multifactor authentication options, except for the Authenticator app – TOTP option.
  • To support the Authenticator app – TOTP MFA option, download the custom policy files from https://github.com/azure-ad-b2c/samples/tree/master/policies/totp, and then update the XML files with your Azure AD B2C tenant name. Make sure to include TrustFrameworkExtensions.xmlTrustFrameworkLocalization.xml, and TrustFrameworkBase.xml XML files from the SocialAndLocalAccounts starter pack.
  • Update your [page layout] to version 2.1.14. For more information, see Select a page layout.

TOTP mode

In this mode, the user is required to install any authenticator app that supports time-based one-time password (TOTP) verification, such as the Microsoft Authenticator app, on a device that they own.

During the first sign-up or sign-in, the user scans a QR code, opens a deep link, or enters the code manually using the authenticator app. To verify the TOTP code, use the Begin verify OTP followed by Verify TOTP validation technical profiles.

For subsequent sign-ins, use the Get available devices method to check if the user has already enrolled their device. If the number of available devices is greater than zero, this indicates the user has enrolled before. In this case, the user needs to type the TOTP code that appears in the authenticator app.

Technical profile

  • Doesn’t provide an interface to interact with the user. Instead, the user interface is called from a self-asserted technical profile, with the TOTP display controls.
  • Uses the Azure AD MFA service to validate the TOTP code.
  • Checks if a user has already enrolled their device.

The get available device mode checks the number of devices available for the user. If the number of available devices is zero, this indicates the user hasn’t enrolled yet.

Display controls

To enable TOTP within your custom policy, use the following display controls:

  • totpQrCodeControl – Render the QR code and a deep link. When the user scans the QR code or opens the deep link, the authenticator app opens so the user can complete the enrollment process.
  • AuthenticatorAppIconControl – Render the Microsoft Authenticator app icon with a link to download the app to the user’s mobile device.
  • AuthenticatorInfoControl – Render the TOTP introduction.

Add these to your TrustFrameworkExtensions xml-file under Technical profile

The display controls are referenced from a self-asserted technical profile. The self-asserted technical profile uses input claims transformation to prepare the required qrCodeContent and secretKey input claims.

The input claims transformations must be called in the following order:

  1. The CreateSecret claims transformation type of CreateOtpSecret. The claims transformation creates a TOTP secret key. This key is later stored in the user’s profile in Azure AD B2C, and is shared with the authenticator app. The authenticator app uses the key to generate a TOTP code the user needs to go through MFA. Your custom policy uses the key to validate the TOTP code provided by the user.
  2. The CreateIssuer claims transformation type of CreateStringClaim. The claims transformation creates the TOTP issuer name. The issuer name is your tenant name, such as “Contoso demo”.
  3. The CreateUriLabel claims transformation type of FormatStringMultipleClaims. The claims transformation creates the TOTP URI label. The label is a combination of the user’s unique identifier, such as email address, and the issuer name, for example, Contoso demo:emily@fabrikam.com.
  4. The CreateUriString claims transformation type of BuildUri. The claims transformation creates the TOTP URI string. The string is a combination of the URI label and the secret key, for example, otpauth://totp/Contoso%20demo:emily@fabrikam.com?secret=fay2lj7ynpntjgqa&issuer=Contoso+demo. This URI label is rendered by the display control in a QR code format and a deep link.

Add also these to your TrustFrameworkExtensions xml-file under Technical profile

How to setup in Azure AD?

MFA

You can do it with Conditional access. See below how to use CA policies and enable MFA.

Section 9 – Implement an Authentication and Access Management Solution – Plan, implement and administer conditional access
Time for first half of section 9 in my SC-300 study guide and covering the following: plan and implement security defaults plan conditional access policies implement conditional access policy controls and assignments (targeting, applications, and conditions) testing and troubleshooting conditional access policies implement application controls implement session management Plan and implement security defaults Before anything […]
Read More
www.cloudpartner.fi

End-user setup

Authenticator app – TOTP – The user must install an authenticator app that supports time-based one-time password (TOTP) verification, such as the Microsoft Authenticator app, on a device that they own. During the first sign-up or sign-in, the user scans a QR code or enters a code manually using the authenticator app. During subsequent sign-ins, the user types the TOTP code that appears on the authenticator app. See how to set up the Microsoft Authenticator app.

First login

At first login you will be displayed for the old style “more information required” box. And you will add other account to Authenticator.

Once you are done the user journey will ask for the code in your Authenticator app.

And you will be able to login.

B2C user auth methods

Once it’s enabled you will see the software TOTP under users authentication methods.

How to access methods thru API?

MethodReturn typeDescription
List softwareOathMethodssoftwareOathAuthenticationMethod collectionRetrieve a list of a user’s softwareOathAuthenticationMethod objects and their properties.
Get softwareOathAuthenticationMethodsoftwareOathAuthenticationMethodRead the properties of a user’s softwareOathAuthenticationMethod object.
Delete softwareOathAuthenticationMethodNoneDelete a user’s softwareOathAuthenticationMethod object.

Most of the time it’s easier to do it programmatically than via Azure portal.

If you want to learn more from Microsoft Graph and the transition from old PowerShell modules, see post below.

Old PowerShell modules vs Microsoft Graph SDK and MSAL vs ADAL
Two main thigs that I want to concentrate in this post are ADAL deprecation and Graph PowerShell but also little bit about tokens. Microsoft is deprecating ADAL and Azure AD Graph Just as a reminder to all who it concerns. Microsoft is deprecating ADAL and Azure AD Graph in June 2022. The notification all over […]
Read More
www.cloudpartner.fi

Why not to use SMS and Phone for verification?

Alex Weinert wrote an excellent blog back in 2020

It’s Time to Hang Up on Phone Transports for Authentication
In my blog Your Pa$$word doesn’t matter, I laid out the key password vulnerabilities, and in response to a gazillion “but other creds can be compromised, too” DMs and emails, I wrote All our creds are belong to us, where I outlined vulnerabilities in credentials other than passwords and highlighted…

Like he says in the blog “Hang up on PSTN and pick up the Microsoft Authenticator – your users will be happier and more secure because you did.”

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *