New Phishing-Resistant Yubikeys


Microsoft has announced the release of three new solutions that enable organisations to deploy Azure Active Directory (Azure AD) to fight phishing attacks in Azure, Office 365, and remote desktop environments. These solutions will be essential to mitigate phishing attacks and will play a key role in supporting organisations looking to comply with the Executive Order. These solutions include:

  • Certificate-based Authentication (CBA)
  • New authentication policies including FIDO and certificates
  • Azure Virtual Desktop (AVD) now supports FIDO in addition to certificates

“Providing new identity solutions to protect our customers is paramount in the fight to stop phishing,” said Sue Bohn, vice president of product management for Microsoft’s Identity and Network Access (IDNA) group. “We’re excited to launch these new features that support key steps customers can take in their Zero Trust journey, and Yubico has been with us fighting against phishing attacks every step of the way.”

Certificate-based Authentication

CBA is generally available for Azure AD. This feature enables organisations with existing smart card & public-key-infrastructure (PKI) deployments to authenticate to Azure AD without a federated server. Organisations can now use the same YubiKey as a smart card with Azure AD enabling them to migrate away from on-premises authentication solutions like ADFS as part of their Zero Trust and cloud strategies.

Conditional Access Authentication Strengths: Enforced FIDO or Certificate-based Authentication

This new feature from Microsoft enables organisations to fight phishing attacks by implementing specific user authentication policies. The public preview of Conditional Access Authentication Strengths enables organisations to restrict authentication to their requirements.

These features enable enterprises to leverage YubiKeys for phishing-resistant MFA for FIDO-based passwordless (FIDO2/WebAuthn) or certificate-based authentication to enforce that YubiKeys are the only authentication solution allowed.

By configuring Azure AD to require YubiKeys for phishing-resistant authentication, organisations are eliminating an entire attack vector for their most privileged users and safeguarding their most critical assets.