Skip to content

08B MFA Biometric Provider

redhook edited this page Mar 30, 2022 · 5 revisions

MFA Biometric Provider

WebAuthn / FIDO2 is a new open authentication standard, supported by browsers and many large tech companies such as Microsoft, Google etc.

The main driver is to allow a user to login without passwords, creating passwordless flows or strong MFA for user signup/login on websites.

The standard is not limited to web applications with support coming to Active Directory and native apps. The technology builds on public/private keys, allowing authentication to happen without sharing a secret between the user & platform.

This brings many benefits, such as easier and safer logins and makes phishing attempts extremely hard.

Managing MFA Biometric Provider

You can view or modify your Provider configuration.

To view your configuration you must use PowerShell applets or the MMC.

  • Log on the a primary Adfs server as administrator
  • Launch a new PowerShell session as administrator
  • type get-help Get-MFAProvider –detailed to get information.
  • type get-help Set-MFAProvider –detailed to get information.
  • Enter your command
Get-MFAProvider -ProviderType Biometrics
$c = Get-MFAProvider -ProviderType Biometrics
...
Set-MFAProvider -ProviderType Biometrics $c

MFA Biometric Provider Properties

Property Value Comments
Enabled True Does the provider is accessible to users
EnrollWizard True/False Does the provider supports Wizards, and Wizard is accessible to users
EnrollWizardDisabled True/False At registration, if the provider is not required, you can bypass the the wizard.
ForceWizard(1) Disabled Values can be Disabled, Enabled, Strict
When a user select "I do not have the code". After successfull authentication, if enabled or strict, the user MUST execute the wizard to register all the required properties
If Strict the user cannot cancel the opération
PinRequired False Does MFA require an additional code PIN
PinRequirements Null Allow Pin Requirement for WebAuthN request (User is not verified. examples: no pin for Security Key, no touch for fingerprint device, etc.. )
[Flags]
Null = 0
None = 1
AndroidKey = 2
AndroidSafetyNet = 4
Fido2U2f = 8
Packed = 16
TPM = 32
Apple = 64
DirectLogin True Launch directly biometric interface. User must cancel to access his configuration options if needed, or choose another authentication mode.
UseNickNames True if true, registration wizard allows to set a nickname for each device
Timeout 60000 Timeout for authenticating in ms
(under Configuration Node)
TimestampDriftTolerance 30000 Time difference between server and client in ms (UTC)
(under Configuration Node)
ChallengeSize int Size of the challenge as integer (16, 32, 48, 64 bytes) Equivalent to 128, 256, 384 and 512 bits
(under Configuration Node)
ServerDomain string Your public domain (recommended)
Sample : contoso.com
(under Configuration Node)
ServerName string Your Adfs Server Name or anything else representing your loadbalanced farm
Sample : adfs
(under Configuration Node)
ServerIcon (1) string Url for the farm icon (not implemented)
Origin (1) string the true Url of your Adfs farm (recommended)
Sample : https://sts.contoso.com
(under Configuration Node)
ForbiddenBrowsers (1) IE;Samsung;Nokia Browser known to not support WebAuthN (Internet Explorer for example), users will be redirected to choose another connection option.
- Firefox
- Samsung
- Nokia
- Opera
- IE (Internet Explorer)
- EdgeLegacy
- Edge
- Chrome
- Safari
- Unknown

# before Browser Name disable to option for this browser
InitiatedBrowsers (1) safari;unknown Especially for Apple devices ...
This option disable "Fast Login" for the session,
the user must click a button to initiate the registration/Logon ceremony.
https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/
NoCounterBrowsers (1) safari;unknown Especially for Apple devices ...
This option disable WebAuthN/FIDO anti-replay feature
https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/
FullQualifiedImplementation(1) string If you want to replace default email provider with your own solution, you must specify the Full Qualified replacement class
You MUST implement IExternalProvider or subclass BaseExternalProvider abstract class
Parameters(1) string Configuration parameters passed to the component

(1) Only available with PowerShell

Example

$c = Get-MFAProvider -ProviderType Biometrics
$c.Timeout = 60000
$c.ChallengeSize = 32
Set-MFAProvider -ProviderType Biometrics $c

Managing MFA Biometric Provider with MMC

  • Log on the a primary ADFS server as administrator
  • Launch MMC snappin

MMC BIOPROV

Clone this wiki locally