Microsoft is looking for better protection for hybrid workers connected to Azure Active Directory (AD) via iOS or Android endpoints (Opens in a new tab) From phishing and password (Opens in a new tab)– Theft attacks.
The company introduced a new authentication method for its Enterprise Identity Service that it says is passwordless, certificate-based authentication (CBA), enabled through the YubiKey Hardware Security Key, created by Yubico.
According to Microsoft’s announcement, the tool will give mobile users a FIPS-certified login solution that’s completely resistant to phishing attacks.
Easy and secure authentication
“US Cybersecurity Executive Order 14028 requires phishing-resistant MFA to be used on all hardware platforms. On mobile, while customers can provide user certificates on their personal mobile devices for use in authentication, this is primarily possible for managed mobile devices.” But this new public preview unlocks support for BYOD,” Vimala Ranganathan, Microsoft Entra Product Manager, wrote in the blog post. (Opens in a new tab) Announcing new features.
With the new solution, Microsoft AD users will be able to provide certificates with a hardware security key, allowing them to easily authenticate on mobile devices. Apple iOS users need to sign up via the Yubico Authenticator app, and copy the public certificate into the iOS keychain. After that, they can select a YubiKey certificate to log in, and enter the PIN code.
For Android users, Microsoft said Azure AD CBA support with YubiKey on an Android phone is enabled via the latest MSAL. Android users do not need the YubiKey Authenticator app, they can connect their YubiKey via USB, start the Azure AD CBA, choose the certificate from the YubiKey, enter the PIN and get authenticated.
Microsoft claims that this method of authentication reduces the chances of credential theft and identity theft, which is done through phishing or social engineering.
“Microsoft’s mobile certificate-based solution combined with hardware security keys is a simple, convenient, anti-phishing, anti-phishing, and FIPS-certified approach,” concluded Ranganathan.