Phishing-resistant MFA on Azure AD with YubiKeys now generally available

Following last November’s announced public preview of Azure AD Certificate-based authentication (CBA) on iOS and Android devices using certificates on hardware security keys, we’re excited to share that it is now generally available for everyone! Be sure to check out Microsoft’s blog post detailing the general availability here for more information.

As mentioned previously, CBA (which you may know as PIV or as smart cards), is widely deployed across many industries and for a long time has been a favorite amongst security experts. It is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt. The lack of strong and convenient authentication methods on mobile has been holding back organizations from requiring phishing-resistant authentication everywhere.

“As the threat of sophisticated cyberattacks continues to rise, ensuring our customers have access to phishing-resistant MFA methods like YubiKeys while using our products and platforms is critical,” said Natee Pretikul, Principal Product Management Lead, Microsoft Security division. “Thanks to our collaboration with Yubico, we’re thrilled that our federal government and enterprise customers can now use Azure AD CBA on iOS and Android devices to comply with the Executive Order on improving the Nation’s Cybersecurity that directs the use of phishing-resistant MFA on all device platforms.”

Azure AD and YubiKey support for phishing-resistant authentication continues to grow day by day. Check out some of the simple ways your organization can now help prevent phishing with CBA. All of these can be enabled with YubiKeys and Azure AD, all without passwords on your mobile devices: 

  • Sign-in to your favorite Microsoft first party applications like Office, Teams, Outlook and many more.
  • Sign-in to other 3rd party applications, or even your organization’s custom apps protected with Azure AD.
  • Sign-in to Edge profiles which then allows Single Sign-On (SSO) to all your favorite Azure AD protected web applications. 
  • Sign-in to your Azure Virtual Desktops with the web client.
  • Is your organization still using AD FS for CBA? YubiKeys on mobile devices are supported there too.

Now with this new support on mobile, your organization can take the next step and require the strongest Conditional Access Policy Authentication Strength, using certificate based authentication everywhere, even on mobile devices. Using Conditional Access Policies, your organization can block any sign-in attempt that does not use CBA.

Setting up CBA on Azure requires some basic configuration steps within Azure AD and for many apps it will require the installation of the Microsoft Authenticator app on Android or iOS/iPadOS. The Yubico Authenticator app is also needed on iOS/iPadOS and configured following these steps. Your existing YubiKey PIV/smart card issuance process does not need to change. And finally, set up Conditional Access Policies Authentication Strengths so you can see how access is blocked if you don’t use CBA.

Now that you are all set up, go and try it out – you’ll find that the process is extremely easy and user-friendly. If you want to learn more about all the other things YubiKeys can do with Azure AD CBA beyond mobile, see these pages here to help you on your phishing-resistant authentication journey with Azure AD.

——

For more information, don’t miss our upcoming webinar with Microsoft on June 15 at 9am PT, “Prevent phishing with Azure AD CBA and YubiKeys on mobile devices” – register in advance here.

Talk to our teamTalk to our team

Share this article:


  • CEO Corner: Maintaining stable growth while navigating global uncertaintyAs we officially close out the first quarter of 2025,  I am pleased we saw a quarter with solid growth and profitability along with ongoing demand for phishing-resistant authentication. We continue to see new types of high-profile cyber attacks appearing regularly, and a major reason for the success of phishing attacks is stolen credentials. As […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • Introducing the Yubico Academy: Enabling partners for a phishing-resistant futureAt Yubico, strong partnerships are fundamental to a more secure digital world. Our commitment goes beyond providing leading security keys; it’s about actively fostering the growth of our valued partners through impactful enablement programs. A cornerstone is the Yubico Academy, featuring our comprehensive certification program.  This program enables our partners’ teams to become Yubico experts, […]Read more
  • AI is booming — but proving you’re human matters more than everIf you walked the show floor at the RSA Conference this year, you probably noticed the same thing I did: Artificial Intelligence (AI) is everywhere. Agentic AI. AI in threat detection. AI in firewalls. AI in identity management. AI-generated demos. AI everything. The energy around AI was undeniable, and we’re seeing real innovation, efficiency gains […]Read moreAIArtificial IntelligencephishingRSAC
  • Ditching passwords for good: Celebrating the inaugural World Passkey DayHave you ever been stuck in a relationship with someone who constantly lets you down, exposes your secrets, and leaves you vulnerable? Odds are you cut your losses, packed up your things and moved on. Today is the day to do the same with your passwords: say goodbye forever! The reality is a majority of […]Read morepasskeyspasswordlessWorld Passkey Day