If you are reading this article, it is because you have been assigned to help your organization go passwordless and have heard all the benefits of going passwordless using YubiKeys for Azure CBA and Azure AD FIDO2 authentication, and I probably don’t have to tell you about the security and user experience benefits of going passwordless. But while it is very easy once you have onboarded the users, the question still remains: How do I get started with YubiKey onboarding for passwordless authentication? In this blog we will help you get started with that process.
First, if you are looking at passwordless authentication using YubiKeys, you must know the difference between FIDO2 and Azure CBA and whether you need both or if one is good enough.
FIDO2 is the one you hear the most about because it is the newest passwordless authentication method; however, since it is the newest authentication method, that means that it is still not supported everywhere. For example, iOS applications do not support FIDO2 authentication, and while FIDO2 can be used for on-premises authentication, it is still not native or reliable as smartcard authentication.
Unlike FIDO2, smartcard authentication and Azure CBA are supported everywhere. The reason why it is not more popular is because it requires a longer setup; however, with passwordless onboarding tools such as EZCMS and our Azure based Certificate Authority, you can have a self-service onboarding solution in less than an hour (my personal record is helping a customer set everything up in less than 17 minutes, if you are up for the challenge schedule a call with me and let’s see if we can beat that record). While smartcard authentication is enough for passwordless authentication in Azure, if you already have a YubiKey and EZCMS you might as well also enable FIDO2 onboarding since you already have all the tools needed, giving your users the ability to use both passwordless authentication methods.
Below you can see a quick video on how to set up Azure CBA in Azure, but if you prefer written documentation you must follow these steps:
1) Create your root Certificate Authority
2) Create your smartcard Certificate Authority
3) Add the Certificates to Azure CBA
Once we have set up Azure CBA, we are ready to issue smartcards and start our passwordless authentication journey.
As mentioned above, since we are already using YubiKeys for Azure CBA, we might as well enable FIDO2. Below is a quick video that guides you through the setup of Azure FIDO2 and how you can self-service create your own FIDO2 token; however, if you do not want your users to know their TAP and you want to set a PIN policy, we can enable it in EZCMS so the FIDO2 key is created with the smartcard certificate.
Now that we have enabled Azure CBA (Certificate Based Authentication) and FIDO2 in Azure AD (Entra ID), we now have to set a way for our users to create their own smartcard certificates and FIDO2 keys for their YubiKeys.
1) First, we have to create our EZCMS instance.
2) Once it is created, we have to register your tenant in EZCMS (this is where you would also enable FIDO2, for this you will have to set up TAP in your tenant (don’t worry – your users will never see the TAP).
3) Once your tenant is connected, set yourself as an HR administrator and add yourself to the HR database.
4) Now you are ready to experience the user experience that your users will experience. Request a YubiKey and then use your administrator account to assign the YubiKey to yourself.
5) Once the SmartCard is assigned, you can request your Certificate and FIDO2 key either by scanning your government ID (premium plan only) or using an existing AAD identity.
Now that you have setup the tools, you can start the YubiKey rollout to the rest of your organization. EZCMS can help you with the distribution but we also understand that you might want to offload the whole logistics to us; if that is the case, schedule a demo and ask us about our managed YubiKey distribution service.