To protect the infrastructure and improve cybersecurity in the US, Executive Order 14028 and the Office of Management and Budget Memo M-22-09 strongly required phishing-resistant authentication for all federal agencies. The M-22-09 memo also specifies two standards-based authentication protocols that will satisfy the phishing-resistant requirements, FIDO2/WebAuthn and PIV smart cards.
In the Microsoft ecosystem, PIV smart cards have long been supported for desktop systems on Windows and macOS. Recently, the company announced an excellent win for government agencies and organisations already using intelligent cards by expanding support for PIV smart cards on mobile devices using YubiKeys.
Entra ID (Azure AD) has supported using YubiKeys for FIDO2 passwordless sign-in since 2021, and customers have been waiting ever since to sign in with their YubiKey from their mobile devices.
Now, the tide is beginning to change.
Microsoft recently announced general availability for using FIDO2 security keys with Safari, and this new support goes beyond desktops and includes iPhones and iPads.
Users can sign in to any Entra ID-protected web application on their iPhone or iPad using supported browsers.
By now, every organisation should be on their way to a passwordless and Zero Trust journey. With mobile support, organisations can get a step further in their journey.
Microsoft also announced Conditional Access Policy Authentication Strengths, allowing customers the flexibility to require PIV or FIDO2 everywhere except for the edge cases where the protocols aren't supported yet. This enables organisations to get closer and closer to a modern passwordless end-state where end-users are no longer allowed to use phishable authentication methods when accessing applications.
“These Conditional Access Policies are powerful and flexible. With authentication strengths, organisations will be able to enable: out-of-the-box policies that require phishing-resistant authentication including enforcing users use FIDO2 security keys, certificate-based authentication, or Windows Hello for Business,” says a Yubico spokesperson.
“Custom policies that require FIDO2 security keys, including enforcing users use any FIDO2 security keys like YubiKeys to access the environment. Users use specific YubiKey 5 FIPS series or other models by specifying the exact AAGUIDs. AAGUIDs are the IDs that FIDO2 security key vendors use to uniquely identify their device models.”
“Custom policies that require certificate-based authentication, including enforcing users use YubiKeys as PIV smart cards to access the environment.”
“Native apps don’t support FIDO2 authentication yet on macOS and iOS. Android also does not support FIDO2 authentication yet. Microsoft has committed to deliver these features, but they aren’t here yet. Nevertheless, we celebrate these great milestones and look forward to when organisations can finally get to passwordless everywhere.”
“Yubico is working closely with Microsoft on its CBA mobile solutions to play a critical part in the fight against phishing. The companies are working together to support organisations to provide consistent and strong phishing-resistance across all platforms," says the spokesperson.