If you are trying to implement unphishable credentials in Azure, you have probably looked at FIDO2 and Entra CBA (Certificate Based Authentication); however, after taking a closer look, you will see that FIDO2 is still not fully supported in iOS, only in browsers, meaning that if you want to use phishing-resistant authentication in iOS you must use certificate-based authentication with Azure CBA (Entra CBA). As of writing of this blog, only YubiKeys are supported for Entra ID mobile authentication. In this post, we will cover the full process on how to get your YubiKeys ready for iOS authentication.
The first step of getting the YubiKey ready for Entra CBA is getting a user certificate in the YubiKey. While doing this might sound very complicated since you need a certificate authority, a CMS (Credential Management System) to distribute your smartcard certificates and a way to distribute the YubiKeys to your remote users, this can be simplified with EZCMS. EZCMS takes care of all that, allowing you to setup your own cloud-based infrastructure in less than 30 minutes! See the video below or this blog to setup your Entra CBA infrastructure in minutes.
Once you have set up your YubiKey for Entra CBA, you must download the Yubico Authenticator App. In the application, you will have to connect your YubiKey, and click Configuration. In the configuration page, ensure that the smartcard extension is enabled, and that your certificate is added to the iPad. After this, you are ready to start authenticating with your YubiKey! The only minor change when you authenticate is that you will have to click the push notification to go to the Yubico app and enter your YubiKey PIN, and finish authentication. You can see the whole process in the video below.