Microsoft Strengthens Phishing-resistant Security For Entra ID With FIDO2 Provisioning APIs

Yubico has worked closely with Microsoft for over a decade to keep businesses around the world and the Microsoft solutions they use both secure and phishing-resistant. Recognising the importance of multi-factor authentication (MFA), Microsoft recently mandated that MFA be used by all Azure users – a critical move to require stronger authentication for end users to prevent phishing attacks.

Yubico applauds the mandate and encourages organisations to not only satisfy the MFA mandate, but also expand the use of modern MFA beyond only Azure users while moving past phishable MFA solutions. Organisations must protect all their resources and should be applying policies to all users and all applications with Conditional Access Policy Authentication Strengths, requiring phishing-resistant MFA solutions like the YubiKey.

Continuing this trend of focusing on phishing-resistance, Microsoft just announced Microsoft Entra ID FIDO2 provisioning APIs that give organisations the option to develop or leverage alternative administrator-led provisioning clients that support the setup of hardware security keys, like the YubiKey. Before this update, organisations were limited to requiring users to register their own security keys. This left gaps for many organisations that wanted to mature in their journey in becoming a phishing-resistant organisation, which often required users to sign-in with a phishable authentication method like a Temporary Access Pass in order to register their YubiKey.

While this may have worked for some, more diverse and multinational entities and government agencies have long sought after the ability to do the provisioning on-behalf of their users. Now, users can be onboarded into an organisation or can recover their account without ever having to downgrade to a phishable authentication method.

Yubico is proud to have partnered with Microsoft in supporting the development of these APIs. Yubico has worked to ensure that the provisioning of YubiKeys fits seamlessly into this release and Yubico now shares a GitHub project with a sample of how customers can leverage the new Microsoft Graph APIs.

“At Microsoft, we are committed to providing the highest levels of protection for our customers,” said Natee Pretikul, principal product management lead at Microsoft Security. “Phishing-resistant multi-factor authentication (MFA) is a critical component to a healthy and secure cybersecurity practice for any organisation. Through our FIDO2 Provisioning API integration with Yubico solution, our enterprise customers can quickly implement YubiKey, enhancing employee protection more efficiently. Together, we are empowering our customers to safeguard their digital identities and protect their data against ever-evolving threats.”

With Microsoft’s proven commitment to driving the highest security for users, and through our integration with Entra ID, YubiKeys offer a seamless, robust solution that not only strengthens security but simplifies the user experience. YubiKeys enable enterprises to create phishing-resistant users who use authentication that seamlessly moves with users across devices, services and business scenarios.

Effectively using YubiKeys across the Microsoft ecosystem

With strong two-factor, multi-factor and passwordless authentication, YubiKey’s integration across the Microsoft ecosystem is the best defense against account takeovers. While MFA is a strong first line of defense, not all forms are equally secure. Legacy methods like passwords are easily hacked, and mobile-based authentication (SMS, OTP codes, push notifications) are vulnerable to phishing, malware, SIM swaps, and AiTM attacks. This is particularly important for Microsoft environments, where the integration of services like Azure, Microsoft 365, and Dynamics 365 means that an account takeover could have widespread implications.

The risks that come from phishing attacks is exactly why the YubiKey is so important to today’s organisation using Microsoft solutions. The YubiKey provides a bridge from legacy to modern authentication options and can be used for on-premises Smart Card deployments, authenticate access to apps in the cloud through FIDO2 and meet you where you are in your Microsoft journey. Since YubiKeys work across all your devices (including the Surface Pro 10 for Business), it makes authenticating a breeze for all, including mobile-restricted users, factory floor workers, healthcare workers, hotel staff and many more.

As cyber threats continue to evolve, our partnership with Microsoft ensures that we remain at the forefront of security innovation, delivering solutions that protect users and their data. We recommend that you prepare your organisation for the Azure MFA mandate and review the Microsoft guidance to identify impacted users. Together, we can make phishing-resistant users in your organisation a reality and ensure your enterprise stays secure.

Fully protect your organisation by going beyond the mandate and enforcing phishing-resistant MFA for all your users and applications – leverage the built-in Authentication Strength for phishing-resistant MFA or build your custom Authentication Strength. Check out all the ways you can incorporate YubiKeys across the Microsoft ecosystem here.

Begin maturing towards a phishing-resistant organisation by exploring how to best leverage the Microsoft FIDO2 registration APIs to support high-assurance onboarding and account recovery processes. Be sure to explore the sample GitHub project to accelerate integrating the APIs into your organisation’s registration processes.

For more information and any questions on the Microsoft MFA Mandate, the new Microsoft Entra ID FIDO2 provisioning APIs and how to get started implementing YubiKeys for your business, contact our team here.

© Scoop Media