Microsoft releases public preview of Azure Active Directory (AD) Certificate-based Authentication (CBA) on iOS and Android devices using certificates on Yubico’s hardware security keys.
The company first announced the general availability of Azure AD CBA during Ignite 2022 as part of the company’s commitment to President Joe Biden’s executive order on improving cybersecurity in the United States, and now the feature is available in preview on iOS and Android using the YubiKey.
According to Microsoft, the feature is designed for BYOD (bring your own device) environments by giving administrators the ability to require phishing-resistant multi-factor authentication on mobile without having to provision certificates on the user’s mobile device.
Vimala Ranganathan, product manager at Microsoft Entra, says in a blog post that the feature complies with the Executive Order, which requires phishing-resistant MFA on all device platforms.
“On mobile, while customers can provide user certificates on their personal mobile device to use for authentication, this is primarily feasible for managed mobile devices,” Ranganathan says. “But this new public preview unlocks BYOD support.”
Now, customers can now provide certificates on a hardware security key which can then be used for authentication with Azure AD on iOS and Android devices, according to Ranganathan.
“Microsoft’s mobile certificate-based solution paired with hardware-based security keys is a simple, convenient, Federal Information Processing Standards (FIPS) certified, and phishing-resistant MFA method,” Ranganathan writes in the blog post.
All browser-based web apps and native apps, including Microsoft proprietary apps using the latest Microsoft Authentication Library (MSAL), support Azure AD CBA with Yubi key on mobile devices. Azure AD CBA with YubiKey is also supported with negotiated authentication flow using the latest version of Microsoft Authenticator (android Where iOS/iPadOS) for all applications that are not already on the latest MSAL, says the Entra product manager.
To use as one-time registration on iOS, the user must use the Yubico Authenticator app for iOS to copy YubiKey’s public certificate to the iOS Keychain. The private part of the smart card certificate never leaves the YubiKey, notes Ranganathan.
To sign in, users can select the YubiKey certificate from the certificate picker, insert the YubiKey or tap an NFC-enabled YubiKey, enter the PIN through YubiKey Authenticator, and complete the authentication process.
On Android, Azure AD CBA support is enabled through the latest MSAL, and the YubiKey Authenticator app is not required for Android support. Users can plug in their YubiKey via USB, launch Azure AD CBA, choose YubiKey’s certificate, enter their PIN and authenticate into the app, according to Microsoft.