Microsoft is releasing the public preview of Azure Active Directory (AD) Certificate-based Authentication (CBA) on iOS and Android devices using certificates on hardware security keys from Yubico.
The company first announced the general availability of Azure AD CBA during Ignite 2022 as part of the company’s commitment to President Joe Biden’s executive order on improving the U.S.’s cybersecurity, and now the feature is available in preview on iOS and Android using the YubiKey.
According to Microsoft, the feature is designed for bring-your-own-device (BYOD) environments by giving admins the ability to require phishing-resistant multifactor authentication on mobile without having to provision certificates on the user’s mobile device.
Vimala Ranganathan, product manager on Microsoft Entra, says in a blog that the feature is compliant with the executive order, which requires phishing-resistant MFA on all device platforms.
“On mobile, while customers can provision user certificates on their personal mobile device to be used for authentication, this is primarily feasible for managed mobile devices,” Ranganathan says. “But this new public preview unlocks support for BYOD.”
Now, customers can now provision certificates on a hardware security key which can then be used for authentication with Azure AD on iOS and Android devices, according to Ranganathan.
“Microsoft’s mobile certificate-based solution coupled with the hardware security keys is a simple, convenient, FIPS (Federal Information Processing Standards) certified phishing-resistant MFA method,” Ranganathan writes in the blog.
All browser-based web-apps and native apps, including Microsoft first-party apps using the latest Microsoft Authentication Library (MSAL), support Azure AD CBA with YubiKey on mobile devices. Azure AD CBA with YubiKey is also supported with the brokered authentication flow using latest Microsoft Authenticator (Android or iOS/iPadOS) for all apps that are not already on the latest MSAL, the Entra product manager says.
To use as one-time registration on iOS, the user needs to use Yubico Authenticator for iOS app to copy YubiKey’s public certificate into the iOS keychain. The private part of the smartcard certificate never leaves the YubiKey, Ranganathan notes.
To sign in, users can select the YubiKey certificate from the certificate picker, either insert the YubiKey or tap an NFC enabled YubiKey, enter PIN via YubiKey Authenticator, and finish the authentication flow.
On Android, Azure AD CBA support is enabled via the latest MSAL, and YubiKey Authenticator app is not a requirement for Android support. Users can plug in their YubiKey via USB, initiate Azure AD CBA, pick the certificate from YubiKey, enter their PIN and get authenticated into the application, according to Microsoft.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply