Microsoft is launching the general availability of Azure AD CBA on iOS and Android devices using certificates on hardware security keys via USB and NFC.
According to Microsoft, this allows customers to provision certificates on a hardware security key which can be used for authentication with Azure AD on iOS and Android devices, giving organizations a more convenient and compliant phishing-resistant multifactor authentication method.
“Microsoft’s mobile certificate-based solution coupled with the hardware security keys is a simple, convenient, Federal Information Processing Standards (FIPS) certified phishing-resistant MFA method,” the company says in a blog.
Microsoft says Apple added native support for physical smart card authentication using an NFC or CCID class-compliant reader with iOS 16 and iPadOS 16.1, and organizations can now use CCID compatible smart cards against Azure AD for authentication.
All native apps, including Microsoft first-party apps using the latest Microsoft Authentication Library (MSAL), support Azure AD CBA with YubiKey on mobile devices, Microsoft says. Azure AD CBA with YubiKey is also supported with the brokered authentication flow using latest Microsoft Authenticator on supported mobile platforms for all apps that are not already on the latest MSAL.
According to Yubico, the maker of YubiKeys, support for phishing-resistant authentication continues to grow, and the following can be enabled with YubiKeys and Azure AD without passwords on mobile devices:
- Sign-in to Microsoft first party applications like Office, Teams, Outlook and many more.
- Sign-in to other 3rd party application, or even an organization’s custom apps protected with Azure AD.
- Sign-in to Edge profiles which then allows Single Sign-On (SSO) to all Azure AD protected web applications.
- Sign-in to Azure Virtual Desktops with the web client.
- AD FS for CBA
With mobile support, organizations can require the strongest Conditional Access Policy Authentication Strength with certificate-based authentication everywhere, including on mobile devices. This allows organizations to block any sign-in attempt that doesn’t use CBA.
Configuring CBA on Azure requires a few steps, and will likely require the installation of the Microsoft Authenticator app on Android or iOS/iPadOS, as well as the Yubico Authenticator app. However, existing YubiKey PIV/smart card issuance processes do not need to change.
The companies also suggest setting up Conditional Access Policies Authentication Strengths so organizations can see how access is blocked if they don’t use CBA.
Read this Microsoft Tech Community blog for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
