Microsoft hits the switch on password-free smartphone authentication
No more MF phish on this MFA cellphone as Azure AD CBA + YubiKey hits preview
Microsoft is rolling out another way for smartphone and tablet users to protect themselves from phishing attacks as post-pandemic hybrid work pulls more and more workers under bring-your-own-device (BYOD) policies.
By so doing, of course, it also ties up the security loose ends for businesses, who find BYOD "convenient" (cough, cheap, cough) but insecure.
At its Ignite 2022 event last month, Microsoft announced general availability of Azure Active Director (AD) certificate-based authentication (CBA), addressing a component the Biden Administration's executive order last year to strengthen the US's cybersecurity.
Microsoft is now offering a public preview of Azure AD CBA on devices running Apple's iOS and Android that uses certificates on Yubico's YubiKey hardware security key.
The authentication method is based on certificates rather than passwords. Microsoft, along with others including Apple and Google, is pushing for passwordless authentication – and aims to fend off phishing attacks designed to get around multifactor authentication (MFA).
Vimala Ranganathan, product manager for Microsoft Entra, explained that the preview will give mobile device users a login method that supports Federal Information Processing Standards (FIPS) for anti-phishing MFA.
"On mobile, while customers can provision user certificates on their personal mobile device to be used for authentication, this is primarily feasible for managed mobile devices," Ranganathan said. "But this new public preview unlocks support for BYOD. Customers can now provision certificates on a hardware security key which can then be used for authentication with Azure AD on iOS and Android devices."
iOS device users will have to register for the Yubico Authenticator app to copy YubiKey's public certificate into the iOS keychain and then select the YubiKey certificate to sign in and enter the PIN code.
- To cut off all nearby phones with these Chinese chips, this is the bug to exploit
- We can't believe people use browsers to manage their passwords, says maker of password management tools
- Microsoft lures SMBs to Cloudy PCs by connecting them to Xbox accounts
- We were already secure enough for mass remote working before COVID-19, boast IT pros
Android devices enabled by the latest Microsoft Authentication Library (MSAL) won't need the YubiKey Authenticator app. Instead, users can plug in their YubiKey through the USB, initiate Azure AD CBA and pick the certificate from YubiKey. From there they enter the PIN to get authenticated into the app.
The new capability comes as the adoption of BYOD is on the rise, wrote Alex Weinert, vice president and director of identity security at Microsoft. The BYOD space is expected to grow an average of 15.1 percent a year, hitting $485.5 billion by 2025, says market research firm IndustryArc. ®