Microsoft Enables Phishing-Resistant MFA Through Certificate-Based Authentication

Microsoft enabled certificate-based authentication (CBA) in Azure Active Directory, paving the way for organizations to adopt federally compliant multi-factor authentication (MFA) that will resist phishing attempts.

The Azure AD CBA release is expected to facilitate migration of on-premises Active Directory implementations to the cloud. Microsoft has long encouraged cloud migration as a countermeasure against phishing attacks.

Last week, the company released a public preview of Azure AD CBA on iOS and Android devices, which uses certificates from Yubico’s hardware security key. The feature will let enterprises use phishing-resistant MFA on employee-owned devices without manually installing user certificates.

“US Cybersecurity Executive Order 14028 requires the use of phishing-resistant MFA on all device platforms,” said Microsoft Entra product manager Vimala Ranganathan. “On mobile, while customers can provision user certificates on their personal mobile device to be used for authentication, this is primarily feasible for managed mobile devices. But this new public preview unlocks support for BYOD. Customers can now provision certificates on a hardware security key which can then be used for authentication with Azure AD on iOS and Android devices.”

iOS users must copy YubiKey’s public certificate into the iOS keychain using the Yubico Authenticator for iOS app. Although the certificate is copied onto the iOS device, Microsoft says the smartcard certificate’s private part never leaves the YubiKey.

When signing in, users select the appropriate certificate from a list, insert the YubiKey or tap an NFC-enabled one and type the PIN.

The YubiKey Authenticator app is not required on Android devices, as Azure AD CBA support with YubiKey is ensured through the latest Microsoft Authentication Library (MSAL). The authentication process is similar to the one on iOS devices; users must plug in their YubiKey, initiate Azure AD CBA, select the correct certificate and type the PIN.