Product reviews, deals and the latest tech news

Microsoft releases password-free Azure AD authentication for mobile devices running iOS and Android

Microsoft wants to make it harder for hackers to steal credentials from hybrid employees who use the Azure Active Directory (AD) service from iOS or Android endpoints.

The YubiKey hardware security key, developed by Yubico, enables the company’s innovative password-free, certificate-based authentication (CBA) authentication mechanism for the business identification service.

According to Microsoft, the tool will provide mobile users with a login solution that is totally immune to phishing assaults and is certified to Federal Information Processing Standards (FIPS).

Simplified and safe authentication

U.S. Executive Order 14028 on cybersecurity mandates phishing-resistant multi-factor authentication (MFA) across all supported platforms. Authentication using user certificates on mobile devices is possible for both managed and unmanaged devices, with the former being more practical. However, “this new public preview enables functionality for BYOD,” as stated by Microsoft Entra’s product manager Vimala Ranganathan in a blog post introducing the updates.

Certificates issued by Microsoft Active Directory will now be provisioned with a hardware security key, enabling for simple mobile device authentication. iOS users must sign up with the Yubico Authenticator app and then import the public certificate into Apple’s keychain. When they’re ready to log in, they may use the YubiKey certificate and its associated PIN.

Microsoft has announced that the newest MSAL enables Azure AD CBA compatibility with YubiKey on Android phones. For authentication, Android users may skip using the YubiKey Authenticator app altogether by connecting their YubiKey to their device via USB, starting Azure AD CBA, selecting the certificate from the YubiKey, and then entering their PIN.

According to Microsoft, using this kind of authentication reduces the likelihood of phishing and social engineering-based credential and identity theft.

“Microsoft’s mobile certificate-based solution coupled with the hardware security keys is a simple, convenient FIPS-certified phishing-resistant MFA method,” Ranganathan concluded.