工作原理:Azure 多重身份验证How it works: Azure Multi-Factor Authentication

多重身份验证是一种过程。在该过程中,系统会在用户登录时提示其输入其他形式的标识,例如在其手机上输入代码或提供指纹扫描。Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

如果只使用密码对用户进行身份验证,则会留下不安全的矢量,容易受到攻击。If you only use a password to authenticate a user, it leaves an insecure vector for attack. 如果密码弱或者已在其他位置公开,那么如何确定是该用户在使用用户名和密码登录,还是攻击者在登录?If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? 需要另一种形式的身份验证时,会提高安全性,因为攻击者并不容易获取或复制进行多重身份验证所需的额外内容。When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.

不同形式的多重身份验证的概念图

Azure 多重身份验证需要以下身份验证方法中的两种或更多种才能运作:Azure Multi-Factor Authentication works by requiring two or more of the following authentication methods:

  • 你知道的某样东西,通常为密码。Something you know, typically a password.
  • 你有的某样东西,例如无法轻易复制的可信设备,如电话或硬件密钥。Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
  • 自身的特征 - 生物识别,如指纹或面部扫描。Something you are - biometrics like a fingerprint or face scan.

用户只需执行一个步骤即可自行注册自助式密码重置和 Azure 多重身份验证,这样可以简化加入体验。Users can register themselves for both self-service password reset and Azure Multi-Factor Authentication in one step to simplify the on-boarding experience. 管理员可以定义能够使用的辅助身份验证形式。Administrators can define what forms of secondary authentication can be used. 当用户执行自助式密码重置以进一步保护该过程时,也可能需要 Azure 多重身份验证。Azure Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.

登录屏幕上使用的身份验证方法

Azure 多重身份验证可帮助保护对数据和应用程序的访问,同时满足用户对简单性的需求。Azure Multi-Factor Authentication helps safeguard access to data and applications while maintaining simplicity for users. 它通过要求第二种形式的身份验证提供额外的安全性,并通过一系列简单的身份验证方法提供增强式身份验证。It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use authentication methods. 根据管理员制定的配置决策,用户可能会受到 MFA 的质疑,也可能不会受到 MFA 的质疑。Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.

应用程序或服务不需要进行任何更改即可使用 Azure 多重身份验证。Your applications or services don't need to make any changes to use Azure Multi-Factor Authentication. 验证提示是 Azure AD 登录事件的一部分,它会在需要时自动请求并处理 MFA 质询。The verification prompts are part of the Azure AD sign-in event, which automatically requests and processes the MFA challenge when required.

可用的验证方法Available verification methods

当用户登录到应用程序或服务并收到 MFA 提示时,他们可以从其注册的附加验证形式中选择一个来进行验证。When a user signs in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. 管理员可能会要求注册这些 Azure 多重身份验证方法,或者用户可以访问他们自己的我的配置文件以编辑或添加验证方法。An administrator could require registration of these Azure Multi-Factor Authentication verification methods, or the user can access their own My Profile to edit or add verification methods.

以下其他形式的验证可以与 Azure 多重身份验证一起使用。The following additional forms of verification can be used with Azure Multi-Factor Authentication:

  • Microsoft Authenticator 应用Microsoft Authenticator app
  • OATH 硬件令牌OATH Hardware token
  • SMSSMS
  • 语音呼叫Voice call

如何启用和使用 Azure 多重身份验证How to enable and use Azure Multi-Factor Authentication

可以为用户和组启用 Azure 多重身份验证,以在登录事件期间提示其进行其他验证。Users and groups can be enabled for Azure Multi-Factor Authentication to prompt for additional verification during the sign-in event. 安全默认值适用于所有 Azure AD 租户,可用于为所有用户快速启用 Microsoft Authenticator 应用。Security defaults are available for all Azure AD tenants to quickly enable the use of the Microsoft Authenticator app for all users.

如需更精细的控制,可使用条件性访问策略来定义需要 MFA 的事件或应用程序。For more granular controls, Conditional Access policies can be used to define events or applications that require MFA. 通过使用这些策略,可在用户使用企业网络或已注册的设备时,允许其执行常规登录,但在其远程访问或使用个人设备时向其提示其他验证。These policies can allow regular sign-in events when the user is on the corporate network or a registered device, but prompt for additional verification factors when remote or on a personal device.

有关条件访问如何保护登录过程的概览图

后续步骤Next steps

若要了解有关许可的信息,请参阅 Azure 多重身份验证的功能和许可证To learn about licensing, see Features and licenses for Azure Multi-Factor Authentication.

在以下教程中,为了展示运行中的 MFA,为一组测试用户启用了 Azure 多重身份验证:To see MFA in action, enable Azure Multi-Factor Authentication for a set of test users in the following tutorial: