Microsoft | Yubico
Strong phishing-resistant MFA for compliance with the EO

YubiKey plugged into laptop

The shift to Zero Trust security

In May of 2021, the White House issued Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, outlining new expectations & guidelines for zero trust and phishing-resistant multi-factor authentication (MFA) for federal agencies as well as their suppliers and partners.

Passwords, SMS, and other One-Time Passwords (OTP) are commonly used MFA solution, but they are not phishing-resistant and are highly susceptible to cyber attacks. The Federal Government’s policy requires the use of authenticators compliant with Federal Information Processing Standards (FIPS) 140-2, which includes PIV and CAC, and authenticators that meet the technical requirements published in NIST SP 800-63B.

The federal Zero Trust architecture (ZTA) strategy, as outlined in the OMB memo M-22-09, requires federal agencies, staff, contractors, and partners to use phishing-resistant MFA to reduce the threat from sophisticated attacks. Phishing-resistant MFA refers to an authentication process that is immune to attackers intercepting or even tricking users into revealing access information.


Enable a seamless journey to Zero Trust with

Yubico and Microsoft

Yubico and Microsoft are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both Yubico and Microsoft are FIDO Alliance members and leading contributors to WebAuthn/FIDO2. Yubico offers the YubiKey FIPS Series, a FIPS 140-2 validated hardware security key that provides phishing-resistant two-factor, multi-factor, and passwordless authentication at scale, helping government agencies and highly regulated enterprises meet the Zero Trust and MFA recommendations detailed in EO 14028 & OMB M-22-09.

man with laptop

As an outcome of the EO, all organizations should now have phishing-resistant MFA at the top of their security agendas. The good news is that if you’re a Microsoft user, either Azure, Azure Active Directory (Azure AD) or Microsoft 365, you can take advantage of native support for the YubiKey, the most secure form of phishing-resistant MFA, for immediate compliance with the EO.

With Microsoft and the YubiKey, government agencies receive phishing-resistant and federal compliant, strong hardware-backed authentication that is simple to deploy across multiple applications as well as modern devices, with single sign-on (SSO) capabilities.

  • Out-of-the-box, native integration for Microsoft 365 collaboration and productivity tools
  • Easy and secure access to Azure AD protected solutions
  • Authenticate to Azure AD or AD FS with certificate-based authentication (CBA)
  • Enforcement with Conditional Access policy requires a phishing-resistant authentication strengths (currently public preview) including FIDO2/WebAuthn or CBA
  • Secure corporate system access to Microsoft 365 remote workers & 3rd party entities

Integrate your solution with YubiKey and Azure

Active Directory


Phishing-resistant MFA for your journey
to Zero Trust

FIDO2/WebAuthn

FIDO2 Passwordless via supported browser or desktop login

Certificate-based Authentication

With CBA, a user can leverage their YubiKey as a smart card to access applications and desktops protected with Azure AD or AD FS.


Executive Order Hub

Microsoft and Azure AD can integrate with 3rd Party IAMs (Identity Access Management) such as Ping Identity or Okta.

As a result, YubiKeys can be used to authenticate to Azure AD with IAMs that provide modern phishing- resistant MFA based on the FIDO2.


Phishing-resistant MFA with a touch

YubiKeys offer the best of both worlds—the best available security against phishing attacks and account takeovers, as well as simplified user experience. To authenticate, users simply tap/touch their security key. YubiKeys are also durable and don’t require batteries or need a cellular connection, and are water-resistant and crush-proof. Here are additional benefits to using YubiKeys for your Microsoft applications:

no password
Enable the bridge to passwordless authentication

Government agencies can deploy a smart card/PIV passwordless solution today without the need for smart card readers—and get ready for a FIDO2/WebAuthn passwordless experience in the future.

shield in circle icon
Enhanced security posture with streamlined deployment

Deploying the YubiKey is a fast, simple, and inexpensive process thanks to seamless compatibility with existing infrastructures and YubiEnterprise subscription and delivery options

key and hand icon
Privileged users, remote workforce, and shared workstations

Improve security and productivity for privileged users or those sharing workstations and provide support for remote workers, contractors, air-gapped/isolated networks, cloud services, or high-risk military scenarios.

secure desktop
Multi-protocol flexibility

Microsoft works with the multi-protocol YubiKey 5 FIPS Series, ensuring a single solution across legacy and modern applications and devices. Authentication protocols include FIDO2/WebAuthn and certificate- based authentication.

lock and browser icon
Secure access to Microsoft apps

Microsoft 365 apps, desktops and Azure Virtual Desktops are all secured with the YubiKey solution that exceeds compliance requirements.

user profile icon
Convenient login for higher employee productivity

Organization can enhance security and simplify logins, reducing support calls and downtime.

lock in gear
Integrated with leading IAM solutions

YubiKeys secure authentication to Microsoft Office applications that are federated via IAM solutions such as Ping Identity, Okta, Duo, and more.

lock in middle of hub
Third party/vendor access

YubiKeys can secure corporate system access
to Microsoft 365 workloads by 3rd party entities to prevent breaches.


YubiKeys and Azure AD certificate-based authentication for implementing Zero Trust architecture

In addition to protecting government agencies and employees, the EO mandates that organizations working with the federal government also have phishing-resistant authentication for their suppliers and partners. YubiKeys are a perfect solution as they support both types of phishing-resistant authentication—Certificates and FIDO2. Azure AD certificate-based authentication (CBA) and YubiKeys enable enterprises to deploy BYOD, work from home, and first-line worker scenarios by deploying a YubiKey without the need for external hardware.


Are you impacted by EO 14028?

Some organizations may believe that the Executive Order is focused towards federal agencies, but it has critical implications for many regulated and private sector industries such as defense, supply chain, healthcare, technology, and financial services. In March 2022, President Biden called on both state and local governments and the private sector to step up cybersecurity defenses in line with EO 14028 with all urgency, starting with “the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system…”

white house at night

Zero Trust is the new regulatory minimum for federal agencies. What does that mean for authentication?


Need to adopt a Zero Trust architecture and deploy MFA per the United States Executive Order on Improving the Nation’s Cybersecurity? Yubico can help with strong authentication that supports Zero Trust initiatives.


YubiKeys protect Microsoft environments

Yubico + Microsoft. FIPS 140-2 Validated Phishing-Resistant MFA
Yubico + Microsoft. Your defense against account takeovers

Yubico + Microsoft. Microsoft 365 Protection for the Public Sector

YubiKeys aid in EO compliance

White House declaration: act now for cybersecurity attack protection
Meeting Zero Trust and phishing-resistant MFA requirements in Memorandum 22-09

compliance federal gov white paper cover with gov building
Modern hardware backed MFA and compliance for Federal Government

Implement YubiKeys with help from Yubico

Yubikey Azure AD Hybrid Implementation Projects
Professional Services Microsoft Passwordless Implementation Package

Professional Services Operational Deployment workshop
array of logos

Get started

YubiKey 5 series

Find the right YubiKey

Contact our sales team for a personalized assessment of your company’s needs.

statue and YubiKey
Get protected today

Browse our online store today and buy the right YubiKey for you.