The shift to Zero Trust security
In May of 2021, the White House issued Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, outlining new expectations & guidelines for zero trust and phishing-resistant multi-factor authentication (MFA) for federal agencies as well as their suppliers and partners.
Passwords, SMS, and other One-Time Passwords (OTP) are commonly used MFA solution, but they are not phishing-resistant and are highly susceptible to cyber attacks. The Federal Government’s policy requires the use of authenticators compliant with Federal Information Processing Standards (FIPS) 140-2, which includes PIV and CAC, and authenticators that meet the technical requirements published in NIST SP 800-63B.
The federal Zero Trust architecture (ZTA) strategy, as outlined in the OMB memo M-22-09, requires federal agencies, staff, contractors, and partners to use phishing-resistant MFA to reduce the threat from sophisticated attacks. Phishing-resistant MFA refers to an authentication process that is immune to attackers intercepting or even tricking users into revealing access information.
Enable a seamless journey to Zero Trust with
Yubico and Microsoft
Yubico and Microsoft are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both Yubico and Microsoft are FIDO Alliance members and leading contributors to WebAuthn/FIDO2. Yubico offers the YubiKey FIPS Series, a FIPS 140-2 validated hardware security key that provides phishing-resistant two-factor, multi-factor, and passwordless authentication at scale, helping government agencies and highly regulated enterprises meet the Zero Trust and MFA recommendations detailed in EO 14028 & OMB M-22-09.
As an outcome of the EO, all organizations should now have phishing-resistant MFA at the top of their security agendas. The good news is that if you’re a Microsoft user, either Azure, Azure Active Directory (Azure AD) or Microsoft 365, you can take advantage of native support for the YubiKey, the most secure form of phishing-resistant MFA, for immediate compliance with the EO.
With Microsoft and the YubiKey, government agencies receive phishing-resistant and federal compliant, strong hardware-backed authentication that is simple to deploy across multiple applications as well as modern devices, with single sign-on (SSO) capabilities.
- Out-of-the-box, native integration for Microsoft 365 collaboration and productivity tools
- Easy and secure access to Azure AD protected solutions
- Authenticate to Azure AD or AD FS with certificate-based authentication (CBA)
- Enforcement with Conditional Access policy requires a phishing-resistant authentication strengths (currently public preview) including FIDO2/WebAuthn or CBA
- Secure corporate system access to Microsoft 365 remote workers & 3rd party entities
Integrate your solution with YubiKey and Azure
Phishing-resistant MFA for your journey
to Zero Trust
FIDO2 Passwordless via supported browser or desktop login
With CBA, a user can leverage their YubiKey as a smart card to access applications and desktops protected with Azure AD or AD FS.
Executive Order Hub
Microsoft and Azure AD can integrate with 3rd Party IAMs (Identity Access Management) such as Ping Identity or Okta.
As a result, YubiKeys can be used to authenticate to Azure AD with IAMs that provide modern phishing- resistant MFA based on the FIDO2.
Simple and secure sign on with certificate-based authentication
Azure AD and YubiKeys secure federal agencies and their vendors with phishing-resistant MFA with simple and secure sign in on laptops and mobile phones. YubiKey is currently the only external device that supports CBA on Android and iOS. Plus, the YubiKey is the only FIPS certified phishing-resistant solution available for Azure AD on mobile.
Phishing-resistant MFA with a touch
YubiKeys offer the best of both worlds—the best available security against phishing attacks and account takeovers, as well as simplified user experience. To authenticate, users simply tap/touch their security key. YubiKeys are also durable and don’t require batteries or need a cellular connection, and are water-resistant and crush-proof. Here are additional benefits to using YubiKeys for your Microsoft applications:
Enable the bridge to passwordless authentication
Government agencies can deploy a smart card/PIV passwordless solution today without the need for smart card readers—and get ready for a FIDO2/WebAuthn passwordless experience in the future.
Enhanced security posture with streamlined deployment
Deploying the YubiKey is a fast, simple, and inexpensive process thanks to seamless compatibility with existing infrastructures and YubiEnterprise subscription and delivery options
Privileged users, remote workforce, and shared workstations
Improve security and productivity for privileged users or those sharing workstations and provide support for remote workers, contractors, air-gapped/isolated networks, cloud services, or high-risk military scenarios.
Microsoft works with the multi-protocol YubiKey 5 FIPS Series, ensuring a single solution across legacy and modern applications and devices. Authentication protocols include FIDO2/WebAuthn and certificate- based authentication.
Secure access to Microsoft apps
Microsoft 365 apps, desktops and Azure Virtual Desktops are all secured with the YubiKey solution that exceeds compliance requirements.
Convenient login for higher employee productivity
Organization can enhance security and simplify logins, reducing support calls and downtime.
Integrated with leading IAM solutions
YubiKeys secure authentication to Microsoft Office applications that are federated via IAM solutions such as Ping Identity, Okta, Duo, and more.
Third party/vendor access
YubiKeys can secure corporate system access
to Microsoft 365 workloads by 3rd party entities to prevent breaches.
YubiKeys and Azure AD certificate-based authentication for implementing Zero Trust architecture
In addition to protecting government agencies and employees, the EO mandates that organizations working with the federal government also have phishing-resistant authentication for their suppliers and partners. YubiKeys are a perfect solution as they support both types of phishing-resistant authentication—Certificates and FIDO2. Azure AD certificate-based authentication (CBA) and YubiKeys enable enterprises to deploy BYOD, work from home, and first-line worker scenarios by deploying a YubiKey without the need for external hardware.
Are you impacted by EO 14028?
Some organizations may believe that the Executive Order is focused towards federal agencies, but it has critical implications for many regulated and private sector industries such as defense, supply chain, healthcare, technology, and financial services. In March 2022, President Biden called on both state and local governments and the private sector to step up cybersecurity defenses in line with EO 14028 with all urgency, starting with “the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system…”