Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Microsoft strengthens phishing-resistant security for Entra ID with FIDO2 provisioning APIs

August 2024 by Marc Jacob

Yubico has worked closely with Microsoft for over a decade to keep businesses around the world and the Microsoft solutions they use both secure and phishing-resistant. Recognizing the importance of multi-factor authentication (MFA), Microsoft recently mandated that MFA be used by all Azure users – a critical move to require stronger authentication for end users to prevent phishing attacks.

Yubico applauds the mandate and encourages organizations to not only satisfy the MFA mandate, but also expand the use of modern MFA beyond only Azure users while moving past phishable MFA solutions. Organizations must protect all their resources and should be applying policies to all users and all applications with Conditional Access Policy Authentication Strengths, requiring phishing-resistant MFA solutions like the YubiKey.

Continuing this trend of focusing on phishing-resistance, Microsoft just announced Microsoft Entra ID FIDO2 provisioning APIs that give organizations the option to develop or leverage alternative administrator-led provisioning clients that support the setup of hardware security keys, like the YubiKey. Before this update, organizations were limited to requiring users to register their own security keys. This left gaps for many organizations that wanted to mature in their journey in becoming a phishing-resistant organization, which often required users to sign-in with a phishable authentication method like a Temporary Access Pass in order to register their YubiKey.

While this may have worked for some, more diverse and multinational entities and government agencies have long sought after the ability to do the provisioning on-behalf of their users. Now, users can be onboarded into an organization or can recover their account without ever having to downgrade to a phishable authentication method.

Yubico is proud to have partnered with Microsoft in supporting the development of these APIs. Yubico has worked to ensure that the provisioning of YubiKeys fits seamlessly into this release and Yubico now shares a GitHub project with a sample of how customers can leverage the new Microsoft Graph APIs.

With Microsoft’s proven commitment to driving the highest security for users, and through our integration with Entra ID, YubiKeys offer a seamless, robust solution that not only strengthens security but simplifies the user experience. YubiKeys enable enterprises to create phishing-resistant users who use authentication that seamlessly moves with users across devices, services and business scenarios.

Effectively using YubiKeys across the Microsoft ecosystem

With strong two-factor, multi-factor and passwordless authentication, YubiKey’s integration across the Microsoft ecosystem is the best defense against account takeovers. While MFA is a strong first line of defense, not all forms are equally secure. Legacy methods like passwords are easily hacked, and mobile-based authentication (SMS, OTP codes, push notifications) are vulnerable to phishing, malware, SIM swaps, and AiTM attacks. This is particularly important for Microsoft environments, where the integration of services like Azure, Microsoft 365, and Dynamics 365 means that an account takeover could have widespread implications.

The risks that come from phishing attacks is exactly why the YubiKey is so important to today’s organization using Microsoft solutions. The YubiKey provides a bridge from legacy to modern authentication options and can be used for on-premises Smart Card deployments, authenticate access to apps in the cloud through FIDO2 and meet you where you are in your Microsoft journey. Since YubiKeys work across all your devices (including the Surface Pro 10 for Business), it makes authenticating a breeze for all, including mobile-restricted users, factory floor workers, healthcare workers, hotel staff and many more.

As cyber threats continue to evolve, our partnership with Microsoft ensures that we remain at the forefront of security innovation, delivering solutions that protect users and their data. We recommend that you prepare your organization for the Azure MFA mandate and review the Microsoft guidance to identify impacted users. Together, we can make phishing-resistant users in your organization a reality and ensure your enterprise stays secure.

Fully protect your organization by going beyond the mandate and enforcing phishing-resistant MFA for all your users and applications – leverage the built-in Authentication Strength for phishing-resistant MFA or build your custom Authentication Strength. Check out all the ways you can incorporate YubiKeys across the Microsoft ecosystem here.

Begin maturing towards a phishing-resistant organization by exploring how to best leverage the Microsoft FIDO2 registration APIs to support high-assurance onboarding and account recovery processes. Be sure to explore the sample GitHub project to accelerate integrating the APIs into your organization’s registration processes.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts