New phishing-resistant solutions available now with Azure AD and YubiKeys

October 19, 2022 3 minute read

Microsoft recently announced the release of three new solutions that enable organizations to deploy Azure Active Directory (Azure AD) to fight phishing attacks in Azure, Office 365, and remote desktop environments. These solutions will be essential to mitigate phishing attacks and will play a key role in supporting organizations looking to comply with the Executive Order. These solutions include:

  • Certificate-based Authentication (CBA)
  • New authentication policies including FIDO and certificates
  • Azure Virtual Desktop (AVD) now supports FIDO in addition to certificates

“Providing new identity solutions to protect our customers is paramount in the fight to stop phishing,” said Sue Bohn, vice president of product management for Microsoft’s Identity and Network Access (IDNA) group. “We’re excited to launch these new features that support key steps customers can take in their Zero Trust journey, and Yubico has been with us fighting against phishing attacks every step of the way.”

Certificate-based Authentication

CBA is generally available for Azure AD. This feature enables organizations with existing smart card & public-key-infrastructure (PKI) deployments to authenticate to Azure AD without a federated server. Organizations can now use the same YubiKey as a smart card with Azure AD enabling them to migrate away from on-premises authentication solutions like ADFS as part of their Zero Trust and cloud strategies.

Conditional Access Authentication Strengths: Enforced FIDO or Certificate-based Authentication

This new feature from Microsoft enables organizations to fight phishing attacks by implementing specific user authentication policies. The public preview of Conditional Access Authentication Strengths enables organizations to restrict authentication to their requirements. These features enable enterprises to leverage YubiKeys for phishing-resistant MFA for FIDO-based passwordless (FIDO2/WebAuthn) or certificate-based authentication to enforce that YubiKeys are the only authentication solution allowed. By configuring Azure AD to require YubiKeys for phishing-resistant authentication, organizations are eliminating an entire attack vector for their most privileged users and safeguarding their most critical assets.

Yubico strongly encourages every organization to deploy Conditional Access Authentication Strength policies for your administrators today.

Azure Virtual Desktop adds support for FIDO authenticators

Azure Virtual Desktops (AVD) enable users to connect to a personal workstation in the cloud.  Users with a virtual desktop have the same security and work experience no matter where they are. At Ignite, Microsoft announced support for FIDO-based passwordless authentication in AVD.  This solution enables users to authenticate with their YubiKey and Azure AD passwordless credentials when the user signs into AVD or when they sign into an application inside their virtual desktop. The FIDO-based passwordless authentication solution augments the support for YubiKeys and certificate authentication currently supported in AVD.

Learn more

These new features announced by Microsoft are powerful tools for incorporating phishing-resistant MFA methods within your organization, and we’re excited to share additional details and best practices during our upcoming  webinar, New solutions to prevent phishing with Azure AD and YubiKeys, on November 3rd at 9am PT. Please register here to attend.