Microsoft fights phishing with passwordless authentication for Azure AD on iOS and Android 

Join us on November 9 to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers at the Low-Code/No-Code Summit. Register here.

The FIDO alliance-driven crackdown on passwords and phishing scams has been one of this year’s most significant security developments, with vendors including Microsoft, Google and Apple all committing to developing passwordless authentication solutions. 

Just today, Microsoft announced it is releasing passwordless, certificate-based authentication (CBA) for Azure AD on iOS and Android devices via a hardware security key called YubiKey, from Yubico. The new solution will give Android and iOS users a FIPS (Federal Information Processing Standards)-certified, phishing-resistant login solution.  

With phishing attacks still on the increase, this expansion will serve to make the Microsoft ecosystem more resistant to social engineering and credential theft. In particular, it will protect users in hybrid working environments who are connecting to Azure AD with iOS and Android devices. 

Fighting phishing attacks in hybrid working environments 

The announcement comes less than a month after Microsoft announced the release of three new CBA and phishing-resistant solutions designed to help organizations prevent phishing attacks in Azure, Office 365 and Remote Desktop environments.


Low-Code/No-Code Summit

Learn how to build, scale, and govern low-code programs in a straightforward way that creates success for all this November 9. Register for your free pass today.

Register Here

It also comes after the Biden administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity mandated that U.S. federal agencies must adopt phishing-resistant multi-factor authentication to combat increasingly common phishing attacks. 

As recently as yesterday, Dropbox confirmed it had been hacked via a phishing scam that gave attackers access to some of the organization’s source code and customer information. 

With these threats so common, decreasing reliance on password-based security is now critical for reducing exposure to these increasingly effective scams, particularly in hybrid working environments.  

 “U.S. cybersecurity Executive Order 14028 requires the use of phishing-resistant MFA on all device platforms. On mobile, while customers can provision user certificates on their personal mobile device to be used for authentication, this is primarily feasible for managed mobile devices. But this new public preview unlocks support for BYOD,” said Vimala Ranganathan, product manager of Microsoft Entra, in the announcement blog post. 

How the Microsoft/YubiKey phishing-resistant authentication works 

The new Microsoft/YubiKey login solution enables users to provision certificates with a hardware security key so that users can authenticate on iOS and Android devices. 

iOS users can register via the Yubico Authenticator for iOS app and copy the YubiKey’s public certificate into the iOS keychain. Then users can select the YubiKey certificate from the certificate picker to sign in and enter a unique PIN via the YubiKey authenticator. 

On Android, users can enable Azure AD CBA support via the latest MSAL without the need for the YubiKey Authenticator app. The YubiKey can be plugged in via USB, where the user can pick a certificate and enter the PIN to get authenticated to access the application.

This approach means there’s less chance of credential theft as a result of phishing or social engineering. 

“Microsoft’s mobile certificate-based solution coupled with the hardware security keys is a simple, convenient FIPS-certified phishing-resistant MFA method,” Ranganathan said. 

The passwordless authentication ecosystem

With the threat of credential theft remaining high, the global passwordless authentication market continues to grow. Researchers anticipate it will increase from a value of $12.79 billion in 2021 to $53.64 billion by 2030. 

Since the FIDO alliance commitment announced at the start of this year, a range of providers have begun innovating their own password-free authentication solutions.

Just recently, Google introduced passwordless authentication to Chrome and Android by enabling users to create and use passkeys to log in to Android devices. Users can store these passkeys on their phones and use them to log in password-free. 

Likewise, Apple offers a passkeys solution for iOS 16 and macOS Ventura devices, so that users can log in to apps and websites with Face ID or Touch ID. 

However, according to Yubico’s announcement blog post, “the YubiKey is the only FIPS-certified phishing-resistant solution available for Azure AD on mobile.” 

Originally appeared on: TheSpuzz