For quite some time now, certificate-based authentication has been one of the most secure ways to ensure that your credentials remain unphishable. As you’re most likely aware, traditional, password-based authentication is a problem, and presents a multitude of risks to businesses that still choose to leverage this outdated means of authentication. One of the core questions people have is, “How do I go passwordless and implement phishing resistant authentication in Entra?” In the following post, we’ll walk you through the process of implementing phishing resistant credentials with Entra CBA utilizing our proprietary PKI tools, EZCA and EZCMS.
Any Security Engineer worth their salt will always research thoroughly and spec-out a project before jumping in with both feet. First, let’s define which passwordless methods are phishing resistant, (which the answer is FIDO2 and Entra CBA) these two methods are considered phishing resistant because the user cannot give away the private if they get tricked in a phishing site.
While both methods are great and depend on similar technology, we recommend using both of them to implement Phishing resistant credentials in Entra ID. The reason for this, is while FIDO2 is more comfortable to use (since you don’t have to enter your user name), FIDO2 is not supported in iOS devices, and it is a pain to set-up in on-premises FIDO2 authentication. Having both FIDO2 and Entra CBA in the same key gives you the best of both worlds, and using tools like EZCMS and EZCA makes it easy for you and your users.
So, what do we need to know before we get started? Simple. CBA relies on [X.509 certificates](https://www.keytos.io/blog/pki/what-are-x509-certificates. These certificates must be provided by a Certificate Authority (CA) recognized by Entra . …fun fact, EZCA by Keytos is on the list! You may be thinking, “Hey! Why do I need a 3rd party PKI tools for this?” Well, Unfortunately (and in typical Microsoft fashion), Entra does not offer a built-in, native CA. Furthermore, they’ve even gone on to say that the issuance and management is out of scope. Because of this, there’s basically two ways we can go about things…
Intune SCEP – We suggest taking some time to learn about bit more about Intune and how to get SCEP certificates. But keep in mind, they’re only considered to be 1-factor.
Smartcards or Hardware Keys – To achieve full phishing resistant authentication you must use Smartcards or YubiKeys (before you yell at me that Hello For Business is also phishing resistant, I will ask you: how can you onboard to Hello for business without an existing identity? If this confused you, check out our blog about the chicken and egg problem with passwordless authentication for a more in-depth explanation).
The choice of smart card provider is a pivotal decision. It greatly influences aspects like user experience, security robustness, and overall cost efficiency. Among the options available, YubiKeys stand out as a top recommendation. They’re REALLY easy to use, relatively inexpensive, support for FIDO2, and the enhanced security protocols developed in collaboration with Yubico and Keytos, ensures an unparalleled level of security. Nevertheless, YubiKeys might not align with everyone’s needs or budget. In such cases, legacy systems such as PIVKey smartcards are the clear alternative or next-best solution. Once you have selected your smart card provider, and have ordered a few for testing, we can setup the rest of the infrastructure.
To setup EZCMS, first you must register the application in your tenant. Once the application is registered, you can go to the Azure Portal and create your instance. Lastly, you’ll want to manage the subscription to make sure your organizational settings are set to your liking.
If you do not have an existing CA or want to move your infrastructure to the cloud, we recommend using EZCA our cloud-based certificate authority that enables you to create secure and compliant HSM backed Certificate Authorities in Entra. The EZCA smart card CA must chain up to a Root CA. You can create one in EZCA or chain up to your existing root CA.
Pro-tip: If you already have a Windows ADCS Certificate Authority set up for issuing smart card certificates, you can connect EZCMS to ADCS and start issuing certificates from your ADCS CA.
Once you’ve created your CAs, you need to upload the CA certificates to Azure as trusted CAs by doing the following:
1) Enter the Azure portal as a Global Administrator.
2) Choose Entra ID and click Security in the left-hand panel.
3) Choose Certificate Authorities.
4) Upload the certificate for every root and issuing CA in your infrastructure. Be sure that you add a publicly-accessible CRL URL for Azure to be able to verify that the certificates have not been revoked.
Upon creating the CAs that Azure needs to trust for user authentication, you must allow Azure to accept CBA as the authentication method by doing the following:
1) Go to Authentication Methods (within the Security section).
2) Choose Policies in the left-hand panel.
3) Choose Certificate-Based Authentication.
4) Choose the Configure tab.
5) Choose your preferred protection level (Azure defaults to Single Factor, so if you’re using smartcards be sure to change it to Multi-Factor).
6) Go to the Rules section and change the setting so that CAs can issue user certificates.
7) Set the username binding order (how the username is written in the certificate).
8) Click Save.
After setting up the Certificate Authorities that Entra should trust for user authentication, we need to set up Entra to accept certificate-based authentication as an authentication method.
1) Navigate to Authentication Methods inside the security section.
2) Select Policies on the left-hand side.
3) Click on certificate-based authentication.
4) Click on the Configure tab.
5) Select protection level (Entra defaults to Single factor since it doesn’t know if you are just going to use a certificate without a smart card or if you are going to protect that certificate, so if you are going to use smart cards, change to multi-factor authentication).
6) In the rules section set the CAs that can issue user certificates. Note: You can also set a policy ID if you are using that CA for other certificate types but PKI best practices recommend using a dedicated CA for smart card authentication
7) Select the username binding order (this is how the user name is added in the certificate) in this example we are going to use PrincipalName mapping to the user principal name which is what EZCMS defaults to.
8) Click Save
EZCMS is designed to be able to onboard users from multiple tenants, so you can use it to onboard users to all your different tenants, for example at Keytos, we follow Azure security best practices and do full tenant isolation for corporate (keytos.io), test identities, and production identities and use EZCMS to onboard all of them. Follow the EZCMS documentation to register your domain.
Time to add a test user to EZCMS. Next, we can assign a smart card to that user. Now we’re ready to issue our first smart card!
Once EZCMS is setup, and you have created your test smart card, you can test the authentication flow by:
1) Going to the Azure portal in an incognito tab.
2) Entering your username.
3) Select “Use a Certificate or smart card”
4) Select your smart card certificate
5) Enter your PIN.
6) If using a YubiKey, touch the YubiKey to complete the authentication.
7) You have successfully logged in with your smart card.
Nicely done! Now that you have successfully set up smart card authentication with Entra CBA, you can start rolling it out to all your users.
Still not really sure you’re ready to tackle this project? No worries! Use this link to schedule some time to speak with our Identity experts at your convenience. The team at Keytos prides itself on making passwordless authentication achievable for anyone! We’re certain a quick chat with the team will help put you at ease when it comes to taking the next step in your organization’s path towards zero trust! In the meantime, have a look at some of our recommended reading below.