Adopting unphishable credentials for Azure authentication is more than just a technical change. It’s about fostering a “culture of security” within your organization, where every member understands and contributes to the collective cybersecurity effort. In a time where cybersecurity threats continue to become increasingly sophisticated, protecting your organization’s data has never been more important. One of the most effective ways to strengthen your organization’s cybersecurity is by implementing phishing-resistant authentication; a strategy that goes FAR beyond traditional password-based authentication, which we know too problematic and insecure. In this post, we’ll walk you through the basic terminology and process associated with implementing phishing resistant MFA for your entire organization.
Let’s get started by defining some basic terms associated with passwordless authentication. First things first, The concept of unphishable credentials, also known as unphishable Multi-Factor Authentication (MFA), involves the utilization of credentials impervious to phishing attempts by bad actors, aka Hackers. The foundational principle of these credentials lies in their composition: they are built upon asymmetric cryptographic keys. This intricate design facilitates a secure authentication process wherein the private key remains undisclosed, thereby thwarting any attempts by attackers to pilfer this sensitive secret. This authentication method bypasses the vulnerabilities inherent in traditional passwords by employing alternatives like biometrics, security keys, or single-use codes.
At present, there exist merely two distinct types of unphishable credentials: FIDO2 and Smart Card authentication. Although they share a conceptual similarity in their operation, the crux of their difference lies in the mechanism through which the cryptographic key is validated.
FIDO2 Authentication: This method leverages a more modern framework. It typically involves hardware devices like security keys. The validation process in FIDO2 is designed to work to enable cryptographic authentication without the need to deploy a PKI and distribute certificates to your users, instead it relies on the public key of the device being mapped to the user. While this is very convenient, some devices might not support FIDO2 authentication, (such as iOS devices in Entra ID).
Smart Card Authentication: In contrast, smart card authentication uses certificate-based authentication where the certificate has the user information and since it has been the preferred method for governments around the world, it is widely used and supported.
If you’ve made it this far, you’re most likely wondering, “How do I get started? What does implementation look like?” I’m glad you asked! First, you’re going to want to consider the entire process of going passwordless, not just which method you’ll employ. Even top-notch security is ineffective if end-users find it cumbersome and IT struggles to implement it. Next, you’re going to want to do your research to make sure you have a thorough understanding of the task at hand.
While in this section we are breaking it out into different categories, you don’t need to use the same authentication method for all your accounts. For example, you might have your sales team use the Microsoft Authenticator App, while your C-level executives employ FIDO2 hardware keys + Smart cards. When it comes down to it, it is all a balance between usability, cost, and risk tolerance. Never forget, there is no one-size-fits-all approach, and a hybrid approach, in most cases, tends to be the most practical solution for most organizations.
Phishing Resistant Authentication for On-Premises Active Directory + Azure Cloud
If you subscribe to our newsletter, you probably read the post on FIDO2 on-premises and know that for on-premises, Smartcard is still king. Meaning that if you have a hybrid environment you can get away with Smartcard only authentication, and even get the legacy smartcards that are cheaper (and multipurpose since they can be used for building access and employee IDs) than more modern hardware tokens such as YubiKeys or Feitian Keys. However, keep in mind that what you are saving on smartcards, will be spent on smartcard readers and with the more modern hardware keys you also get FIDO2 capabilities allowing you to have the two best unphishable credentials in one single device.
Phishing Resistant Authentication for Cloud-Only Entra ID and Microsoft 365
If you only have cloud resources (Azure and/or Microsoft 365), you might be inclined to go with FIDO2 only since Microsoft has marketed it as the cloud based unphishable credential; unfortunately, though, it is not compatible with all their services. Tools using MSAL such as Azure PowerShell do not support FIDO2 authentication, and while they are making strides to make it available in more places such as in iOS browsers it is still not supported in Microsoft iOS applications. To mitigate this, we use FIDO2 + Azure CBA certificate authentication. EZCMS is the only CMS to add a Smartcard certificate and FIDO2 credential to a YubiKey in the same onboarding process, making it seamless for the user - they don’t know when they are using Azure CBA and when they are using FIDO2, they just know they are using their hardware key for passwordless authentication.
Acknowledging the specialized skills of your IT professionals is crucial. They are, after all, hired for their expertise in information technology. Their valuable time should be directed towards utilizing tools like YubiKeys to enhance and fortify your organization’s cybersecurity framework, rather than navigating the logistical complexities of ordering and distributing these devices.
This logistical responsibility aligns perfectly with the services offered by Keytos. Our EZCMS, a pioneering phishing resistant authentication onboarding CMS for Entra ID, is specifically designed to alleviate this burden. We utilize our extensive infrastructure to manage the shipping and logistical challenges associated with deploying YubiKeys, irrespective of your organization’s size.
Keytos boasts a robust global infrastructure, enabling us to collaborate with local vendors worldwide for efficient and cost-effective delivery of YubiKeys. For instance, if your U.S.-based company requires 500 YubiKeys in India, our system promptly activates our network in India to identify the most advantageous vendor, ensuring a seamless, economical, and swift fulfillment of your order. This approach not only saves time and costs, particularly in import taxes, but also spares you the typical complexities associated with international logistics of YubiKey distribution.
As you can plainly see, implementing phishing resistant credentials in Azure may have a lot of moving parts, but it is possible! Once you do it, you’ll never look back! If you are ready to take the next step on your passwordless journey, book a call with one of our Engineers with decades of experience moving some of the largest companies (including Microsoft) to a fully passwordless environment. Learn more about EZCMS, our passwordless onboarding tool for Azure, to see exactly how easy it is to implement phishing resistant authentication for your entire organization! Remember, implementing phishing-resistant authentication is a crucial step in safeguarding your organization’s digital assets, especially in the cloud-centric world of Azure. By understanding its importance, evaluating the best methods, and effectively implementing and scaling these solutions, you can significantly enhance your organization’s cybersecurity posture.