Mobile Authentication for a Web Site with a YubiKey NEO

I keep up with what gets posted on Channel 9 (lot’s of good stuff there), and a few months back I watched a demo which really is quite the smooth solution:
http://channel9.msdn.com/Shows/Web+Camps+TV/Benjamin-Soulier-Logs-into-a-Web-Site-Using-a-Bar-Code-and-Windows-Phone

What they show is how a normal web site presents a QR code for login, and when you scan the QR code with an app on your Windows Phone 8 device you are authenticated, and the web site refreshes it’s view to show that you are now logged in! (The web site is shown on a computer where there is no direct communications channel to or from the mobile device.) You gotta watch it to understand it. (Forward to around the 15-minute mark for the actual demo.)

Unfortunately there isn’t any sample code to follow the video, so you can’t just download a module and install in your own solution. While I don’t know the specifics of the implementation there were a few key words that got me thinking about how it could be done.

About a year ago I did two posts on a product called YubiKey:
http://mobilitydojo.net/2012/05/09/two-factor-authentication-on-mobile-devices/
http://mobilitydojo.net/2012/05/14/active-directory-federation-services-and-yubikeys/

Nice product, and I use it for some of my authentication needs, but I never got around to doing anything really snazzy with it. So I thought I’d see if the YubiKey could be used for a scenario similar to the one in the video.

Semi-long post, so you might want to grab a cup of coffee before going into the details. If you’re in a hurry just skip to the bottom of the post where there’s a video showing the end result 🙂

Read more

Windows RT – MDM First Impressions

If you’ve had a hankering for some MDM love on the Windows 8 platform, (Windows RT and Windows Phone 8 specifically), Christmas comes early from Microsoft who has upgraded their Windows Intune platform to support the aforementioned devices. (I realize that there might be a limited audience of people desperate to manage these devices as I don’t think there’s been any large scale deployments yet, but people are starting to ask about what’s happening in the MDM space for MSFT operating systems so it’s worth looking into nonetheless.)

Not much has been released publicly regarding the MDM capabilities of Windows RT & Windows Phone 8 so far other than some vague statements about an MDM API, and support in Windows Intune and System Center Configuration Manager 2012 SP1. (SP1 has RTMed and should go GA in a matter of a few weeks.) A couple of third-party MDM vendors have also announced support, but they haven’t shared all that many details either. So let’s do a quick tour of what we can do now that we have a tool available.

Read more

Active Directory Federation Services and YubiKeys

The conclusion to my previous post was that I’ll be showing how to implement YubiKeys along with Active Directory Federation Services. So, where do we start on this topic?…

It’s sort of a logic at play here that says that if you aren’t familiar with Active Directory Federation Services (from here on abbreviated as ADFS) a lot of this post will not make sense to you at first glance. So, if you are familiar with ADFS skip ahead – if not I’ll have a few paragraphs explaining why you might be interested in taking a look at ADFS.

Surely everyone has noticed that there are a lot of web sites where there’s two options for signing in; either using an account for that particular site or "use your Google/Facebook/Twitter account to sign-in". The basic concept is easy enough – you already have a user identity, so why would you need another one? Why can’t you re-use the existing one? If you have ever logged on to a domain-joined Windows computer you’ve experienced this already. There is a central user catalog called "Active Directory" that you sign in to, and after being verified there you can access your file shares, Exchange account, etc without needing to sign into each and every one of those services.

Read more