• Microsoft | Yubico

    Strong phishing-resistant MFA for compliance with the EO

    Read the solution brief
    Home » Solutions » Executive Order on Improving the Nation’s Cybersecurity » Yubico | Microsoft Strong phishing-resistant MFA for compliance with the EO

    The shift to Zero Trust security

    In May of 2021, the White House issued Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, outlining new expectations & guidelines for zero trust and phishing-resistant multi-factor authentication (MFA) for federal agencies as well as their suppliers and partners.

    Passwords, SMS, and other One-Time Passwords (OTP) are commonly used MFA solution, but they are not phishing-resistant and are highly susceptible to cyber attacks. The Federal Government’s policy requires the use of authenticators compliant with Federal Information Processing Standards (FIPS) 140-2, which includes PIV and CAC, and authenticators that meet the technical requirements published in NIST SP 800-63B.

    The federal Zero Trust architecture (ZTA) strategy, as outlined in the OMB memo M-22-09, requires federal agencies, staff, contractors, and partners to use phishing-resistant MFA to reduce the threat from sophisticated attacks. Phishing-resistant MFA refers to an authentication process that is immune to attackers intercepting or even tricking users into revealing access information.

    Enable a seamless journey to Zero Trust with

    Yubico and Microsoft

    Yubico and Microsoft are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both Yubico and Microsoft are FIDO Alliance members and leading contributors to WebAuthn/FIDO2. Yubico offers the YubiKey FIPS Series, a FIPS 140-2 validated hardware security key that provides phishing-resistant two-factor, multi-factor, and passwordless authentication at scale, helping government agencies and highly regulated enterprises meet the Zero Trust and MFA recommendations detailed in EO 14028 & OMB M-22-09.

    man with laptop

    As an outcome of the EO, all organizations should now have phishing-resistant MFA at the top of their security agendas. The good news is that if you’re a Microsoft user, either Entra ID or Microsoft 365, you can take advantage of native support for the YubiKey, the most secure form of phishing-resistant MFA, for immediate compliance with the EO.

    With Microsoft and the YubiKey, government agencies receive phishing-resistant and federal compliant, strong hardware-backed authentication that is simple to deploy across multiple applications as well as modern devices, with single sign-on (SSO) capabilities.

    • Out-of-the-box, native integration for Microsoft 365 collaboration and productivity tools
    • Easy and secure access to Entra ID protected solutions
    • Authenticate to Entra ID or AD FS with certificate-based authentication (CBA)
    • Enforcement with Conditional Access policy requires a phishing-resistant authentication strengths (currently public preview) including FIDO2/WebAuthn or CBA
    • Secure corporate system access to Microsoft 365 remote workers & 3rd party entities

    Integrate your solution with YubiKey and Entra ID

    microsoft integration slide

    Phishing-resistant MFA for your journey
    to Zero Trust


    FIDO2 Passwordless via supported browser or desktop login

    Certificate-based Authentication

    With CBA, a user can leverage their YubiKey as a smart card to access applications and desktops protected with Entra ID or AD FS.

    Executive Order Hub

    Microsoft and Entra ID can integrate with 3rd Party IAMs (Identity Access Management) such as Ping Identity or Okta.

    As a result, YubiKeys can be used to authenticate to Entra ID with IAMs that provide modern phishing- resistant MFA based on the FIDO2.

    Simple and secure sign on with certificate-based authentication

    Entra ID and YubiKeys secure federal agencies and their vendors with phishing-resistant MFA with simple and secure sign in on laptops and mobile phones. YubiKey is currently the only external device that supports CBA on Android and iOS. Plus, the YubiKey is the only FIPS certified phishing-resistant solution available for Entra ID on mobile.

    Phishing-resistant MFA with a touch

    YubiKeys offer the best of both worlds—the best available security against phishing attacks and account takeovers, as well as simplified user experience. To authenticate, users simply tap/touch their security key. YubiKeys are also durable and don’t require batteries or need a cellular connection, and are water-resistant and crush-proof. Here are additional benefits to using YubiKeys for your Microsoft applications:

    no password
    Enable the bridge to passwordless authentication

    Government agencies can deploy a smart card/PIV passwordless solution today without the need for smart card readers—and get ready for a FIDO2/WebAuthn passwordless experience in the future.

    shield in circle icon
    Enhanced security posture with streamlined deployment

    Deploying the YubiKey is a fast, simple, and inexpensive process thanks to seamless compatibility with existing infrastructures and YubiEnterprise subscription and delivery options

    key and hand icon
    Privileged users, remote workforce, and shared workstations

    Improve security and productivity for privileged users or those sharing workstations and provide support for remote workers, contractors, air-gapped/isolated networks, cloud services, or high-risk military scenarios.

    secure desktop
    Multi-protocol flexibility

    Microsoft works with the multi-protocol YubiKey 5 FIPS Series, ensuring a single solution across legacy and modern applications and devices. Authentication protocols include FIDO2/WebAuthn and certificate- based authentication.

    lock and browser icon
    Secure access to Microsoft apps

    Microsoft 365 apps, desktops and Azure Virtual Desktops are all secured with the YubiKey solution that exceeds compliance requirements.

    user profile icon
    Convenient login for higher employee productivity

    Organization can enhance security and simplify logins, reducing support calls and downtime.

    lock in gear
    Integrated with leading IAM solutions

    YubiKeys secure authentication to Microsoft Office applications that are federated via IAM solutions such as Ping Identity, Okta, Duo, and more.

    lock in middle of hub
    Third party/vendor access

    YubiKeys can secure corporate system access
    to Microsoft 365 workloads by 3rd party entities to prevent breaches.

    YubiKeys and Entra ID certificate-based authentication for implementing Zero Trust architecture

    In addition to protecting government agencies and employees, the EO mandates that organizations working with the federal government also have phishing-resistant authentication for their suppliers and partners. YubiKeys are a perfect solution as they support both types of phishing-resistant authentication—Certificates and FIDO2. Entra ID certificate-based authentication (CBA) and YubiKeys enable enterprises to deploy BYOD, work from home, and first-line worker scenarios by deploying a YubiKey without the need for external hardware.

    Are you impacted by EO 14028?

    Some organizations may believe that the Executive Order is focused towards federal agencies, but it has critical implications for many regulated and private sector industries such as defense, supply chain, healthcare, technology, and financial services. In March 2022, President Biden called on both state and local governments and the private sector to step up cybersecurity defenses in line with EO 14028 with all urgency, starting with “the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system…”

    white house at night

    Zero Trust is the new regulatory minimum for federal agencies. What does that mean for authentication?

    Need to adopt a Zero Trust architecture and deploy MFA per the United States Executive Order on Improving the Nation’s Cybersecurity? Yubico can help with strong authentication that supports Zero Trust initiatives.

    YubiKeys protect Microsoft environments

    Yubico + Microsoft. FIPS 140-2 Validated Phishing-Resistant MFA
    Yubico + Microsoft. Your defense against account takeovers

    Yubico + Microsoft. Microsoft 365 Protection for the Public Sector

    YubiKeys aid in EO compliance

    White House declaration: act now for cybersecurity attack protection
    Meeting Zero Trust and phishing-resistant MFA requirements in Memorandum 22-09

    compliance federal gov white paper cover with gov building
    Modern hardware backed MFA and compliance for Federal Government

    Implement YubiKeys with help from Yubico

    Yubikey Azure AD Hybrid Implementation Projects
    Professional Services Microsoft Passwordless Implementation Package

    Professional Services Operational Deployment workshop
    array of logos

    Get started

    YubiKey 5 series

    Find the right YubiKey

    Contact our sales team for a personalized assessment of your company’s needs.

    statue and YubiKey
    Get protected today

    Browse our online store today and buy the right YubiKey for you.