SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Phishing-resistant solutions on Azure AD and YubiKeys now
Thu, 20th Oct 2022
FYI, this story is more than a year old

Microsoft has announced the release of three new solutions that enable organisations to deploy Azure Active Directory (Azure AD) to fight phishing attacks in Azure, Office 365, and remote desktop environments. These solutions will be essential to mitigate phishing attacks and will play a key role in supporting organisations looking to comply with the Executive Order. 

These solutions include Certificate-based Authentication (CBA); new authentication policies including FIDO and certificates; and Azure Virtual Desktop (AVD) now supporting FIDO in addition to certificates.

With the general availability of Azure AD CBA, Azure AD customers can bring their public key infrastructure (PKI) to Azure AD and allow users with smart card certificates secured with YubiKeys to sign into Azure AD-protected Windows workstations and applications. Additionally, Microsoft’s new Conditional Access Authentication strength capability will enable organisations to deploy policies that require users to use phishing-resistant authentication, and they can do so with a YubiKey.

These new features announced by Microsoft are powerful tools for incorporating phishing-resistant MFA methods within any organisation.

“Providing new identity solutions to protect our customers is paramount in the fight to stop phishing,” says Sue Bohn, Vice President of Product Management for Microsoft’s Identity and Network Access (IDNA) group. 

“We’re excited to launch these new features that support key steps customers can take in their Zero Trust journey, and Yubico has been with us fighting against phishing attacks every step of the way.”

CBA is generally available for Azure AD. This feature enables organisations with existing smart card and public-key-infrastructure (PKI) deployments to authenticate to Azure AD without a federated server. 

Organisations can now use the same YubiKey as a smart card with Azure AD enabling them to migrate away from on-premises authentication solutions like ADFS as part of their Zero Trust and cloud strategies.

Microsoft has also strengthened conditional access authentication through enforced FIDO or certificate-based authentication. This new feature from Microsoft enables organisations to fight phishing attacks by implementing specific user authentication policies. 

The public preview of Conditional Access Authentication enables organisations to restrict authentication to their requirements. 

These features enable enterprises to leverage YubiKeys for phishing-resistant MFA for FIDO-based passwordless (FIDO2/WebAuthn) or certificate-based authentication to enforce that YubiKeys are the only authentication solution allowed. 

By configuring Azure AD to require YubiKeys for phishing-resistant authentication, organisations are eliminating an entire attack vector for their most privileged users and safeguarding their most critical assets.

Yubico strongly encourages every organisation to deploy Conditional Access Authentication Strength policies for their administrators.

The final feature, Azure Virtual Desktops (AVD), enables users to connect to a personal workstation in the cloud.  

Users with a virtual desktop have the same security and work experience no matter where they are. 
At Ignite, Microsoft announced support for FIDO-based passwordless authentication in AVD.  

This solution enables users to authenticate with their YubiKey and Azure AD password-less credentials when the user signs into AVD or when they sign into an application inside their virtual desktop. The FIDO-based password-less authentication solution augments the support for YubiKeys and certificate authentication currently supported in AVD.