Microsoft Locks Down the Cloud With Multifactor Authentication

Microsoft makes its Windows Azure cloud services platform a bit more hacker-resistant with a security feature that Web-facing tech companies are increasingly embracing.

Businesses that offer employees, partners and customers access to their Windows Azure Active Directory (AD) managed apps can now add another layer of security to data that's stored on Microsoft's cloud.

Microsoft announced Active Authentication, a new multifactor authentication offering based on the company's PhoneFactor acquisition. The software giant bought the firm in October 2011 to add two-factor, mobile phone-based secure access capabilities to its growing cloud application portfolio. Following the deal, Bharat Shah, corporate vice president for the Server and Tools Division at Microsoft, said in a statement that the buy would "bring effective and easy-to-use multifactor authentication to our cloud services and on-premise applications."

"In addition, PhoneFactor's solutions will help Microsoft customers, partners and developers enhance the security of almost any authentication scenario," added Shah. Windows Azure director, Sarah Fender, announced in a June 12 blog post that the company is making good on some of its promises.

"Starting today, companies can enable multi-factor authentication for Windows Azure Active Directory identities to help secure access to Office 365, Windows Azure, Windows Intune, Dynamics CRM Online and many other apps that are integrated with Windows Azure AD," she wrote.

Active Authentication is also available for developers who are creating Azure-based apps, informed Fender. "Developers can also use the Active Authentication SDK to build multi-factor authentication into their custom applications and directories."

Typical of multifactor authentication schemes, Active Authentication secures Azure apps and data by "adding an extra step to the sign in process." In this case, a user is granted access by supplying a login ID and password and authenticating via the Active Authentication mobile app, an automated phone call or text message.

Alex Simons, director of Program Management for Active Directory, noted in an Active Directory Team Blog post that despite the extra precautions, users have some say in how they interact with the system.

"Of course, the app is my personal favorite but you might like receiving a phone call better and most of the folks on our team prefer the SMS messaging option. The great thing about the service is that your users can choose the method they like best and switch between methods without any additional configuration on your part," wrote Simons.

Microsoft is offering two pricing models. Organizations can opt for per-user, per-month plans or a per-authentication option that is based on the total number of authentications that are performed each month. Before Active Authentication is officially made generally available, the company is offering the service at the discounted price $1.00 per user per month or $1.00 for every 10 authentications.

Active Authentication for Windows Azure arrives just as big tech companies are rushing to deploy two-factor and multifactor authentication systems to protect their users.

In May, Twitter rolled out two-factor authentication to improve security after a spate of high-profile breaches that compromised the accounts of media organizations, including the Financial Times and BBC, and Twitter itself. Google got an early start by offering two-factor authentication for Google Apps in 2010.