Active Directory Federation Services and YubiKeys

The conclusion to my previous post was that I’ll be showing how to implement YubiKeys along with Active Directory Federation Services. So, where do we start on this topic?…

It’s sort of a logic at play here that says that if you aren’t familiar with Active Directory Federation Services (from here on abbreviated as ADFS) a lot of this post will not make sense to you at first glance. So, if you are familiar with ADFS skip ahead – if not I’ll have a few paragraphs explaining why you might be interested in taking a look at ADFS.

Surely everyone has noticed that there are a lot of web sites where there’s two options for signing in; either using an account for that particular site or "use your Google/Facebook/Twitter account to sign-in". The basic concept is easy enough – you already have a user identity, so why would you need another one? Why can’t you re-use the existing one? If you have ever logged on to a domain-joined Windows computer you’ve experienced this already. There is a central user catalog called "Active Directory" that you sign in to, and after being verified there you can access your file shares, Exchange account, etc without needing to sign into each and every one of those services.

Read more

Two-factor Authentication on Mobile Devices

I have a number of things I find interesting when it comes to computers and gadgets, and a recurring theme for me is decent security combined with good user experiences. (That does sound grandiose doesn’t it?)

Lately I’ve been researching this more than usual partly due to building some services in Windows Azure where I want to provide secure and authenticated access. (And I don’t consider myself competent to build a fully hardened solution from scratch just because I know what hashing and salting of passwords means.) While looking into this I came across a nifty product series called YubiKey from http://www.yubico.com, and wanted to share some thoughts on these. If you’ve visited my blog before you might have noticed I’ve already covered client certificates a few times, which of course also meets the definition of two-factor, but this time around we’re looking at hardware for providing the additional factor.

Read more