Microsoft & Yubico boost security with FIDO2 integration

Microsoft is enhancing its phishing-resistant security for Entra ID by integrating FIDO2 provisioning APIs. The move is expected to impact current YubiKey users and those considering using such security devices. Yubico, a long-term partner of Microsoft, has expressed full support for this development.

In the past decade, Yubico and Microsoft have collaborated to provide robust security measures. Microsoft recently mandated using multi-factor authentication (MFA) for all Azure users. This requirement is seen as a crucial step in enhancing end-user security and is aimed at preventing phishing attacks.

Yubico welcomed Microsoft's mandate and urged organisations to extend the use of modern MFA solutions beyond Azure users. In a detailed response, the company highlighted the necessity of protecting all resources and applying policies to all users and applications through Conditional Access Policy Authentication Strengths. Organisations were encouraged to adopt phishing-resistant MFA solutions like YubiKey.

Addressing the new FIDO2 provisioning APIs, Yubico pointed out that these new tools allow organisations to develop alternative administrator-led provisioning clients. These clients support the setup of hardware security keys like the YubiKey. Previously, organisations were restricted to requiring users to register their own security keys, a process that could involve using phishable methods like Temporary Access Passes.

Natee Pretikul, Principal Product Management Lead at Microsoft Security, emphasised the importance of phishing-resistant MFA: "Phishing-resistant multi-factor authentication (MFA) is a critical component to a healthy and secure cybersecurity practice for any organisation. Through our FIDO2 Provisioning API integration with Yubico solution, our enterprise customers can quickly implement YubiKey, enhancing employee protection more efficiently."

The introduction of these APIs ensures that users can now be onboarded into an organisation or recover their accounts without reverting to insecure, phishable authentication methods. This development seeks to bridge gaps in security measures, especially for diverse and multinational entities and government agencies.

Yubico highlighted its commitment to ensuring seamless integration of YubiKeys into the Microsoft ecosystem. They have even released a GitHub project showing how customers can leverage the new Microsoft Graph APIs. Erik Parkkonen, Senior Solutions Architect of Integrations at Yubico, said, "With Microsoft’s proven commitment to driving the highest security for users, and through our integration with Entra ID, YubiKeys offer a seamless, robust solution that not only strengthens security but simplifies the user experience."

YubiKeys are designed to defend against account takeovers by offering strong two-factor, multi-factor, and passwordless authentication. According to Yubico, not all forms of MFA provide the same level of security. Legacy methods, such as passwords and mobile-based authentication methods, are susceptible to attacks, including phishing, malware, and SIM swaps. This risk is particularly critical within the Microsoft ecosystem, where services like Azure, Microsoft 365, and Dynamics 365 are integrated.

Yubico also noted that YubiKeys could be used across various devices, including the Surface Pro 10 for Business. This facilitates easy and secure authentication for different user categories, such as mobile-restricted users and factory floor workers.

Yubico reiterated its commitment to staying ahead of cyber threats in partnership with Microsoft. The company encourages organisations to prepare for the Azure MFA mandate and review Microsoft's guidance to identify impacted users. It advises organisations to leverage Microsoft’s built-in Authentication Strengths or develop custom ones to enforce phishing-resistant MFA across all users and applications.