News

Microsoft Highlights Certificate-Based Authentication and FIDO2 Security Advances

• By Kurt Mackie
• 12/15/2023

Microsoft cited progress on enabling phishing-resistant authentications for organizations, in a Friday announcement.

The announcement highlighted FIDO2 preview support for iOS and MacOS apps, Microsoft Authenticator FIPS 140-3 compliance, plus Certificate-Based Authentication (CBA) advances, among other matters.

CBA Advancements
CBA reached "general availability" last year as an alternative to using identity providers that tap local Active Directory, such as Microsoft's own Active Directory Federation Services (ADFS). ADFS is a Windows server role that links to the Microsoft Entra ID service (formerly called "Azure Active Directory"). Misconfigurations in ADFS were leveraged a couple of years ago in espionage attacks against U.S. government agencies.

Microsoft's U.S. government customers have since massively shifted to using CBA, per the Friday announcement by Alex Weinert, director of identity security at Microsoft:

In the last year since we announced the General Availability of Certificate-based Authentication (CBA), we've seen an increase of over 850% in Entra ID CBA usage for US Government customers. CBA helps our customers in their Zero Trust journey, migrating from on-premises IdPs such as AD FS, while continuing to provide familiar end user experience using PIV / CAC.

Other CBA advances include the ability to "select certificate strength for different users, use CBA with other methods for multifactor or step-up authentication, and set high affinity (strong) binding for either the entire tenant or by user group," Weinert indicated.

Decommissioning ADFS and moving to "native Microsoft Entra ID authentication" is a key best practice for organizations, as recently advocated by the Microsoft Incident Response team.

'Phishing-Resistant' Microsoft Authenticator
Microsoft is promising that it will soon be possible for Microsoft Entra ID users to "register and sign in with device-bound passkeys managed in the Microsoft Authenticator app," which will enable so-called "phishing resistant" authentications. A "passkey" is FIDO2 terminology for credentials that permit sign-ins without user names and passwords. Sometimes that's set up by simply using a mobile device to scan a QR code, for instance.

Microsoft Authenticator is expected to get passkey support "in the first half of 2024."

Microsoft also noted that the Microsoft Authenticator app is now FIPS-140-3 compliant on Android devices running version 6.2310.7174. The compliance applies to "all Microsoft Entra authentications using phishing-resistant device-bound passkeys, push multifactor authentications (MFA), passwordless Phone Sign-In (PSI), and time-based one-time passcodes (TOTP)."

The Microsoft Authenticator app is already FIPS 140 compliant on iOS devices.

FIDO2 Previews for iOS and macOS
Microsoft also announced that FIDO2 authentication is at the public preview stage for iOS and macOS devices:

With this release, users who have Microsoft Authenticator installed on iOS or Microsoft Intune Company Portal installed on macOS can sign into Microsoft applications using a FIDO2 security key. This feature is available now on iOS and will be available early next year on macOS.

Microsoft also noted that there is FIDO2 authentication support for "MSAL-enabled third-party apps on iOS and macOS that meet the requirements listed in Support passwordless authentication with FIDO2 keys in apps you develop." MSAL refers to the "Microsoft Authentication Library," part of the Microsoft Identity Platform. A few years ago, MSAL supplanted the deprecated Azure Active Directory Authentication Library (ADAL) API for developers that work with Microsoft's identity services.