News

Microsoft and Yubico Preview Certificate-Based Authentication for Mobile Devices Using Security Keys

• By Kurt Mackie
• 11/02/2022

Microsoft on Wednesday announced a preview of Azure Active Directory Certificate-Based Authentication (CBA) support for Android and iOS devices using hardware security keys.

The Azure AD CBA support enables "phishing-resistant" multifactor authentication (MFA) protections for those mobile devices. Currently, it's supported with Yubico's YubiKey security keys.

YubiKeys are the only security keys with Azure AD CBA support at present, Yubico noted, in a Wednesday announcement. Additionally, "the YubiKey is the only FIPS [Federal Information Processing Standards] certified phishing-resistant solution available for Azure AD on mobile," Yubico indicated.

BYOD Support
Azure AD CBA use will let organizations tap "bring your own device" (BYOD) scenarios. They can "require phishing-resistant MFA on mobile without having to provision certificates on the user's mobile device," explained Alex Weinert, director of identity security at Microsoft, in the announcement.

It's also possible to enforce conditional access policies on mobile device users by using Microsoft's "new Conditional Access authentication strength policies," Yubico noted.

Organizations can use Azure AD CBA with mobile devices, even unmanaged ones, and still meet the requirements of the Biden administration's Executive Order 14028, which requires the use of phishing-resistant authentications for federal agencies, Microsoft suggested.

Microsoft described one stipulation for the Azure AD CBA and YubiKey support. Applications need to support the "latest Microsoft Authentication Library (MSAL)" to work with this scheme, Microsoft indicated. If they don't have such support, organization can get around that limitation by using the Microsoft Authenticator app.

"Azure AD CBA with YubiKey is also supported with the brokered authentication flow using latest Microsoft Authenticator (Android or iOS/iPadOS) for all apps that are not already on the latest MSAL," Microsoft's announcement clarified.

Azure AD CBA as ADFS Replacement
The Azure AD CBA service itself reached the "general availability" commercial-release stage last month as part of the Microsoft Ignite event, Weinert indicated.

Microsoft had previewed Azure AD CBA back in February as a solution that would enable phishing-resistant authentications, while also letting organizations stop using Microsoft's Active Directory Federation Services (ADFS) for authentications.

ADFS, a Windows Server role, lets organizations authenticate using their own infrastructures in conjunction with the Azure AD service. However, ADFS was leveraged in alleged nation-state espionage attacks publicized last year, following a SolarWinds Orion management software compromise. ADFS was exploited perhaps because it's been too complex for most organizations to properly configure and secure.

Government Recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends the use of phishing-resistant MFA for all organizations and last month published "fact sheet" guidance on how to implement it.

CISA also doubled down on its support for phishing-resistant MFA during the opening keynote talk of last month's FIDO Alliance Authenticate conference. Yubico and Microsoft are both FIDO Alliance members that collaborated on implementing FIDO2-based phishing-resistant authentication solutions.

CISA also advocated the use of number matching to avoid so-called "push notification fatigue." Push notification fatigue is a way that attackers with access to passwords can trick users into bypassing their secondary authentication protection methods, which is done by repeatedly sending authentication requests.

Microsoft announced last month that it is planning to make number matching a default capability for all Microsoft Authenticator users in 2023.