Post

Ditch Username/Password: Secure Your B2C Logins with Custom TOTP MFA

Posted
By Udit Bhatnagar 1 min read

In today’s age, username/password combination alone cannot be considered a solid security measure. Luckily this can be improved with adding one more layer of security called Multi-Factor Authentication. There are multiple MFA methods supported by B2C like Call, SMS, Email and TOTP (Time-based One-Time Password).

This article lists down the steps using which you can setup your own custom policy which will setup the TOTP MFA for a user. The same TOTP MFA setup is also supported when you enable MFA in your SignIn policy. But in case you want to separate the MFA setup in its own separate policy, this is what you can use.

1. Before you begin

Ensure that your custom policy setup supports MFA.

Refer this link to enable MFA in your custom policy. Then come back and continue from next step.

2. Set the value of totpIdentifier

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

<ClaimsProvider>
    <DisplayName>Set_totpIdentifier_CP</DisplayName>
    <TechnicalProfiles>
        <TechnicalProfile Id="Set_totpIdentifier_TP">
            <DisplayName>Set_totpIdentifier_TP</DisplayName>
            
            <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
            
            <OutputClaims>
                <OutputClaim ClaimTypeReferenceId="issuerUserId" />
            </OutputClaims>
            
            <OutputClaimsTransformations>
                <OutputClaimsTransformation ReferenceId="Set_totpIdentifier_CT" />
            </OutputClaimsTransformations>
            
            <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
    </TechnicalProfiles>
</ClaimsProvider>

<OrchestrationStep Order="X" Type="ClaimsExchange">
    <ClaimsExchanges>
        <ClaimsExchange Id="Set_totpIdentifier_CE" TechnicalProfileReferenceId="Set_totpIdentifier_TP" />
    </ClaimsExchanges>
</OrchestrationStep>
  • totpIdentifier is a ClaimType that comes with base MFA setup for custom policy
  • MFA enrolment page requires this ClaimType to contain a value like phoneNumber, email, or userPrincipalName

3. Display MFA enrollment page

1
2
3
4
5
6
7

<OrchestrationStep Order="X + 1" Type="InvokeSubJourney">
    <JourneyList>
        <Candidate SubJourneyReferenceId="TotpFactor-Input" />
    </JourneyList>
</OrchestrationStep>
  • In this step we are calling this built-in Journey TotpFactor-Input
  • This journey includes all the required steps to setup MFA for a user

4. Conclusion

Adding these steps in your UserJourney will enable you to setup an independent custom policy which you can call from anywhere in your app or workflow.

Azure, B2C
azure b2c custom-policy mfa
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.