New phishing-resistant solutions available with Azur AD and Yubikeys
October 2022 by Marc Jacob
Microsoft recently announced the release of three new solutions that enable organisations to deploy Azure Active Directory (Azure AD) to fight phishing attacks in Azure, Office 365, and remote desktop environments. These solutions will be essential to mitigate phishing attacks and will play a key role in supporting organisations looking to comply with the Executive Order.
These solutions include:
• Certificate-based Authentication (CBA)
• New authentication policies including FIDO and certificates
• Azure Virtual Desktop (AVD) now supports FIDO in addition to certificates
CBA is generally available for Azure AD. This feature enables organisations with existing smart card & public-key-infrastructure (PKI) deployments to authenticate to Azure AD without a federated server. Organisations can now use the same YubiKey as a smart card with Azure AD enabling them to migrate away from on-premises authentication solutions like ADFS as part of their Zero Trust and cloud strategies.
Conditional access authentication strengths: enforced FIDO or certificate-based authentication
This new feature from Microsoft enables organisations to fight phishing attacks by implementing specific user authentication policies. The public preview of Conditional Access Authentication Strengths enables organisations to restrict authentication to their requirements. These features enable enterprises to leverage YubiKeys for phishing-resistant MFA for FIDO-based passwordless (FIDO2/WebAuthn) or certificate-based authentication to enforce that YubiKeys are the only authentication solution allowed. By configuring Azure AD to require YubiKeys for phishing-resistant authentication, organisations are eliminating an entire attack vector for their most privileged users and safeguarding their most critical assets. Yubico strongly encourages every organisation to deploy conditional access authentication strength policies for your administrators today.
Azure Virtual Desktop adds support for FIDO authenticators
Azure Virtual Desktops (AVD) enable users to connect to a personal workstation in the cloud. Users with a virtual desktop have the same security and work experience no matter where they are. At Ignite, Microsoft announced support for FIDO-based passwordless authentication in AVD. This solution enables users to authenticate with their YubiKey and Azure AD passwordless credentials when the user signs into AVD or when they sign into an application inside their virtual desktop. The FIDO-based passwordless authentication solution augments the support for YubiKeys and certificate authentication currently supported in AVD.