>
Microsoft wants to better protect hybrid workers connecting to the Azure Active Directory (AD) service through iOS or Android endpoints (opens in new tab) from phishing and password (opens in new tab)– stealing attacks.
The company has introduced a new authentication method for its enterprise identity service that it claims is passwordless, certificate-based authentication (CBA), powered by the YubiKey hardware security key, built by Yubico.
According to Microsoft’s announcement, the tool provides mobile users with a Federal Information Processing Standards (FIPS) certified login solution that is fully resistant to phishing attacks.
Simple and secure authentication
“The US Cybersecurity Executive Order 14028 requires the use of phishing-resistant MFA on all device platforms. On mobile, while customers can provide user certificates on their personal mobile device to be used for authentication, this is especially feasible for managed mobile devices. But this new public preview unlocks support for BYOD,” Microsoft Entra product manager Vimala Ranganathan wrote in the blog post. (opens in new tab) announcement of the new features.
The new solution allows Microsoft AD users to provide certificates with a hardware security key, so they can easily authenticate on mobile devices. Apple’s iOS users must register through the Yubico Authenticator app and copy the public certificate to the iOS keychain. After that, they can select the YubiKey certificate to login and enter the PIN.
For Android users, Microsoft said that Azure AD CBA support with YubiKey on Android mobile is enabled through the latest MSAL. Android users do not need the YubiKey Authenticator app as they can connect their YubiKey via USB, launch Azure AD CBA, choose YubiKey’s certificate, enter the PIN and get authenticated.
Microsoft claims that this authentication method minimizes the chances of credential theft and identity theft, via phishing or social engineering.
“Microsoft’s mobile certificate-based solution combined with the hardware security keys is a simple, convenient, FIPS-certified, phishing-resistant MFA method,” concluded Ranganathan.