Microsoft launches passwordless authentication for Azure AD on iOS and Android

Phone security
(Image credit: Shutterstock)

Microsoft is looking to better protect hybrid workers connecting to its Azure Active Directory (AD) service via iOS or Android endpoints from phishing and password-stealing attacks. 

The company has introduced a new authentication method for the enterprise identity service that it says is a paswordless, certificate-based authentication (CBA) one, enabled through the YubiKey hardware security key, built by Yubico. 

According to Microsoft’s announcement, the tool will give mobile users Federal Information Processing Standards (FIPS) certified login solution, fully resistant to phishing attacks. 

Easy and secure authentication

“U.S. cybersecurity Executive Order 14028 requires the use of phishing-resistant MFA on all device platforms. On mobile, while customers can provision user certificates on their personal mobile device to be used for authentication, this is primarily feasible for managed mobile devices. But this new public preview unlocks support for BYOD,” Vimala Ranganathan, product manager of Microsoft Entra, wrote in the blog post announcing the new features. 

With the new solution, Microsoft AD users will be able to provision certificates with a hardware security key, allowing them to easily authenticate on mobile devices. Apple’s iOS users need to register via the Yubico Authenticator app, and copy the public certificate into the iOS keychain. After that, they can select the YubiKey certificate to sign in, and enter the PIN code. 

For Android users, Microsoft said Azure AD CBA support with YubiKey on Android mobile is enabled via the latest MSAL. Android users don’t need the YubiKey Authenticator app, as they can plug in their YubiKey via USB, initiate Azure AD CBA, pick the certificate from YubiKey, enter the PIN and get authenticated.

Microsoft claims this authentication method minimizes the chances of credential theft and identity theft, done through phishing or social engineering. 

“Microsoft’s mobile certificate-based solution coupled with the hardware security keys is a simple, convenient FIPS-certified phishing-resistant MFA method,” Ranganathan concluded. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.