Azure AD Certificate-based Authentication (CBA) on Mobile

This post has been republished via RSS; it originally appeared at: Microsoft Entra (Azure AD) Blog articles.

At Ignite 2022 we announced general availability of Azure Active Directory (Azure AD) Certificate-Based Authentication (CBA) as a part of Microsoft’s commitment to Executive Order 14028, Improving the Nation’s Cybersecurity. Now, we’re thrilled to announce the public preview of Azure AD CBA support on iOS and Android devices using certificates on hardware security key (YubiKey).  

 

With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant MFA on mobile without having to provision certificates on the user’s mobile device. To tell you more about the support for Azure AD CBA on mobile, I’ve invited Vimala Ranganathan, Product Manager on Microsoft Entra, to walk you through the details of phishing-resistant MFA on mobile.  

 

Thanks, and please let us know your thoughts!  

Alex Weinert (twitter: @Alex_t_weinert) 

 

---- 

 

Hello everyone, 

 

We’re excited to share with you more about the public preview of Azure AD CBA on iOS and Android devices using certificates on hardware security key. 

 

SHDriggers_0-1667344126894.png

 

 

US Cybersecurity Executive Order 14028 requires the use of phishing-resistant MFA on all device platforms. On mobile, while customers can provision user certificates on their personal mobile device to be used for authentication, this is primarily feasible for managed mobile devices. But this new public preview unlocks support for BYOD. Customers can now provision certificates on a hardware security key which can then be used for authentication with Azure AD on iOS and Android devices.  

 

Microsoft's mobile certificate-based solution coupled with the hardware security keys is a simple, convenient, FIPS (Federal Information Processing Standards) certified phishing-resistant MFA method. 

  

All browser-based web-apps and native apps, including Microsoft first-party apps using the latest Microsoft Authentication Library (MSAL), support Azure AD CBA with YubiKey on mobile devices. Azure AD CBA with YubiKey is also supported with the brokered authentication flow using latest Microsoft Authenticator (Android or iOS/iPadOS) for all apps that are not already on the latest MSAL.

 

Azure AD CBA on iOS mobile with YubiKey 

To use as one-time registration, the user needs to use Yubico Authenticator for iOS app to copy YubiKey’s public certificate into the iOS keychain (the private part of the smartcard certificate never leaves the YubiKey).  

  

To sign in, users can select the YubiKey certificate from the certificate picker, either insert the YubiKey or tap an NFC enabled YubiKey, enter PIN via YubiKey Authenticator, and finish the authentication flow. 

 

SHDriggers_1-1667344126898.png

 

SHDriggers_2-1667344126900.png

 

 

Azure AD CBA on Android mobile with YubiKey 

Azure AD CBA support with YubiKey on Android mobile is enabled via the latest MSAL and YubiKey Authenticator app is not a requirement for Android support. 

  

Users can plug in their YubiKey via USB, initiate Azure AD CBA, pick the certificate from YubiKey, enter PIN and get authenticated into the application. 

 

SHDriggers_4-1667344126905.png

 

SHDriggers_5-1667344126908.png

 

 

To learn more about this public preview, join the upcoming webinar from Yubico: “New solutions to prevent phishing with Azure AD and YubiKeys” on November 3rd at 9am PST. Register here to attend! 

  

You can also learn more about Azure AD CBA and YubiKeys here:  

 

 

What’s next 

Keep your feedback coming at Azure Active Directory Community! We are working diligently to add near field communication support for YubiKey and to integrate support for other smart card providers on Azure AD CBA on mobile. 

You can learn more about Microsoft’s commitment to Executive Order 14028 here.     

 

Thanks,   

Vimala 

 

 

Learn more about Microsoft identity: 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.