Microsoft launches passwordless authentication for Azure AD on iOS and Android

Phone security
(Image credit: Shutterstock)

Microsoft is looking to better protect hybrid workers connecting to its Azure Active Directory (AD) service via iOS or Android endpoints from phishing and password-stealing attacks. 

The company has introduced a new authentication method for the enterprise identity service that it says is a paswordless, certificate-based authentication (CBA) one, enabled through the YubiKey hardware security key, built by Yubico. 

According to Microsoft’s announcement, the tool will give mobile users Federal Information Processing Standards (FIPS) certified login solution, fully resistant to phishing attacks. 

Easy and secure authentication

“U.S. cybersecurity Executive Order 14028 requires the use of phishing-resistant MFA on all device platforms. On mobile, while customers can provision user certificates on their personal mobile device to be used for authentication, this is primarily feasible for managed mobile devices. But this new public preview unlocks support for BYOD,” Vimala Ranganathan, product manager of Microsoft Entra, wrote in the blog post announcing the new features. 

With the new solution, Microsoft AD users will be able to provision certificates with a hardware security key, allowing them to easily authenticate on mobile devices. Apple’s iOS users need to register via the Yubico Authenticator app, and copy the public certificate into the iOS keychain. After that, they can select the YubiKey certificate to sign in, and enter the PIN code. 

For Android users, Microsoft said Azure AD CBA support with YubiKey on Android mobile is enabled via the latest MSAL. Android users don’t need the YubiKey Authenticator app, as they can plug in their YubiKey via USB, initiate Azure AD CBA, pick the certificate from YubiKey, enter the PIN and get authenticated.

Microsoft claims this authentication method minimizes the chances of credential theft and identity theft, done through phishing or social engineering. 

“Microsoft’s mobile certificate-based solution coupled with the hardware security keys is a simple, convenient FIPS-certified phishing-resistant MFA method,” Ranganathan concluded. 

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
digital key
Microsoft really wants users to ditch passwords and switch to passkeys
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Person using finger print authentication
Passwords out, passkeys in: The future of secure authentication
An abstract image of a lock against a digital background, denoting cybersecurity.
Building a resilient workforce security strategy
Security padlock in circuit board, digital encryption concept
MFA alone won’t protect you in 2025: the new cybersecurity imperative
Representational image of a shrouded hacker.
Getting to grips with Adversary-in-the-Middle threats
Latest in Security
person at a computer
Many workers are overconfident at spotting phishing attacks
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Latest in News
person at a computer
Many workers are overconfident at spotting phishing attacks
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models