Microsoft’s Certificate-Based Authentication Enables Phishing-Resistant MFA
Microsoft has removed a key obstacle facing organizations seeking to deploy phishing-resistant multifactor authentication (MFA) by enabling certificate-based authentication (CBA) in Azure Active Directory.
The release of CBA in Azure AD, announced during last month’s Microsoft Ignite conference, promises to pave the way for large enterprises to migrate their on-premises AD implementations to the cloud. It’s a move Microsoft is encouraging enterprises to take to protect their organizations against phishing attacks.
Further, last week Microsoft took the first step toward enabling phishing-resistant MFA on employee-owned iOS and Android devices without requiring IT to install user certificates. Specifically, Microsoft on Wednesday issued a preview release of Azure AD with CBA support on mobile devices using security keys from Yubico.
Meeting Federal Standards
CBA capability in Azure AD is immediately critical to federal government agencies, which face a March 2024 deadline to deploy phishing-resistant MFA in compliance with US President Joe Biden’s 2021 Executive Order (14028) on Improving the Nation’s Cybersecurity.
The executive order directs all federal government agencies and those the government does business with to move to zero-trust architecture (ZTA) security. Phishing-resistant MFA is a requirement detailed in the follow-on guidance, Memorandum MB-22-09, issued early this year by the US Office of Budget and Management (OMB).
OMB’s memorandum specifies that all civilian and intelligence agencies implement cloud-based identity architectures resistant to phishing. That means eliminating legacy MFA solutions that attackers can compromise, including SMS and one-time password (OTP) based authentication susceptible to phishing attacks.
SMS phishing attacks, also called “smishing,” are fraudulent text messages that appear legitimate, directing victims to enter personal information into a fake website. “Smishing has turned increasingly into a meaningful attack vector; I see it all the time,” says Andrew Shikiar, executive director of the FIDO Alliance.
Beyond federal agencies and contractors, preventing phishing from MFA bypass attacks has become crucial to all enterprises. This year, MFA relay attacks have escalated; for example, in the August compromise of Twilio’s broadly used MFA service, the attackers prompted unwitting users to share their Okta credentials.
Experts anticipate such attacks will rise next year. “I think social engineering and MFA bypass attacks will continue to grow in 2023, where some other major service providers suffer meaningful breaches like we did this year,” Shikiar says.
Moving From ADFS to Azure AD
Microsoft emphasized that CBA in Azure AD is critical in paving the way for federal government agencies to comply with the president’s executive order. CBA provides a migration path from on-premises Active Directory Federation Services (ADFS) to the cloud-based Azure AD.
Now that CBA is available in Azure AD, organizations can use the cloud-based version of Active Directory to require users to login directly from all Microsoft Office and Dynamics programs and some third-party apps, which will authenticate them with an organization’s public key infrastructure (PKI) using X.509 certificates. The X.509 certificate renders applications resistant to phishing because each user and device has its unique certificate.
Until now, organizations choosing to implement CBA in the cloud had to use third-party authentication services to enforce certificate policies. “What Microsoft is doing is removing the hurdle of having to have a separate service, and between you and the cloud, they’ re supporting that natively,” says Derek Hanson, VP of solutions architecture and standards at Yubico.
“This removes the last major blocker for those of you who want to move all of your identities to the cloud,” said Joy Chik, president of Microsoft’s identity and network access division, during a session at the company’s Ignite conference.
Chik emphasized that connecting applications to Azure AD paves the way for retiring on-premises ADFS, which organizations typically use to enable PKI. However, most organizations have relied on ADFS for decades, and migrating to Azure AD is a complex move. Nevertheless, Chik said it is necessary. “ADFS has become a primary attack vector,” she said.
Indeed, most enterprises that use X.509 for authentication rely on federated servers — and in most cases, that means ADFS. Doug Simmons, managing director and principal consulting analyst at TechVision Research, estimates that at least 80% to 90% of enterprises use ADFS.
“I really don’t know of any organizations that are not using ADFS,” Simmons says. Now that CBA is available in Azure AD, Simmons agrees that organizations will begin the process of migrating from ADFS. “I think they will likely make the migration within the next two years,” he says.
Fulfilling the Government Mandates
During the past year, Chik said that Microsoft has added more than 20 capabilities to ensure that all the critical authentication capabilities in ADFS are available in Azure AD.
“Certificate-based authentication is critical for customers in regulated industries,” Chik said. “This includes US federal agencies, which must deploy phishing-resistant MFA to comply with the White House executive order on cybersecurity.”
Simmons notes that enabling agencies to meet this mandate is critical for Microsoft to retain and expand government deployments, especially agencies that require authentication that complies with the FIPS 140 and FIDO2 standards.
“From what I understand, Microsoft needs Azure to stay ahead of the [federal government game] or risk being further overtaken by Google, AWS, and others,” Simmons explains. “So this would be necessary to demonstrate said compliance and fully integrated support.”
Earlier this year, Microsoft launched Entra, an identity and access management (IAM) platform anchored by Azure AD and using other tools, including Permissions Management, Verified ID, Workload Identities, and Identity Governance.
“With Entra, they are making a significant investment in multicloud administrative security,” Simmons adds. “Multicloud is key because they realize the world doesn’t end with Azure. In fact, most of their customers — and probably all of our customers — have the big three clouds in production. To better secure cross-cloud admin, they need to make strong authentication available to the privileged users, who can be developers and admins. Just supporting phone-based push MFA isn’t enough for some organizations, especially when it comes to the US government and defense.”
Bringing Azure AD CBA Support to Mobile Devices
Microsoft’s release this week of the public preview of Azure AD CBA support on iOS and Android devices enables the use of certificates on hardware security keys, initially Yubico’s YubiKey. Microsoft’s director of identity security Alex Weinert announced the release in a brief blog post.
“With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant MFA on mobile without having to provision certificates on the user’s mobile device,” Weinert wrote.
Yubico, which led the development of the FIDO authentication standards, worked with Microsoft to enable its YubiKeys, the first FIPS-certified, phishing-resistant authenticator currently available for Azure AD on mobile. Ultimately, contractors and US Department of Defense personnel will be able to embed their DoD common access cards (CAC) and personal identity verification (PIV) cards into their mobile devices.
“CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt,” said Yubico solutions architect Erik Parkkonen in a blog post.
Besides taking some configuration steps within Azure AD and installing the Microsoft Authenticator app on Android or iOS/iPadOS, users must install the Yubico Authenticator app on mobile devices.
Users must then install their personal identity verification (PIV) credential independent of the Azure solution, Parkkonen noted. Further, administrators can deploy Microsoft’s latest Conditional Access authentication strength policies to enforce CBA. Microsoft late last month released a preview of the new Conditional Access authentication strength capabilities.