In an effort to protect the nation’s infrastructure and improve cybersecurity, the Executive Order 14028 and the Office of Management and Budget Memo M-22-09 took a strong stance to require phishing-resistant authentication for all federal agencies. The M-22-09 memo also specifies two standards-based authentication protocols that will satisfy the phishing-resistant requirements, FIDO2/WebAuthn and PIV smart cards.
In the Microsoft ecosystem, PIV smart cards have long been supported for desktop systems on Windows and macOS. Recently, the company announced a great win for government agencies and organizations already using smart cards by expanding support for PIV smart cards on mobile devices using YubiKeys.
If you read Joe Scalone’s take on FIDO2 for the federal government, you may be asking about the Microsoft customers that don’t have the PKI infrastructure to support smart card issuance, or for government users that are not PIV eligible. Or, about customers that are wanting to move to more modern FIDO2 based authentication and need to have support on mobile devices. These are great questions.
Entra ID (Azure AD) has supported the use of YubiKeys for FIDO2 passwordless sign-in since 2021, and customers have been waiting ever since to sign-in with their YubiKey from their mobile devices. Now, the tide is beginning to change. Microsoft recently announced General Availability for using FIDO2 security keys with Safari, and this new support goes beyond desktops and includes iPhones and iPads.
Now users can sign-in to any Entra ID protected web application on their iPhone or iPad using any of the supported browsers. This is what it looks like when you sign-in to office.com on an iPhone with a YubiKey 5Ci.
1. Open Safari and go to office.com2. Select Sign-in options3. Select Sign-in with a security key4. Select Security key or simply touch the YubiKey if it’s already plugged in.5. Insert and touch the YubiKey6. Enter the YubiKey PIN7. Touch the YubiKey again8. You are signed in!
Conditional Access Policy Authentication Strengths
Conditional Access Policy Authentication Strengths was also announced by Microsoft this spring, allowing customers the flexibility to require PIV or FIDO2 everywhere except for the edge-cases where the protocols aren’t supported yet. This enables organizations to get closer and closer to a modern passwordless end-state where end-users are no longer allowed to use phishable authentication methods when accessing applications.
These Conditional Access Policies are powerful and flexible. With authentication strengths, organizations will be able to enable:
Out-of-the-box policies that require phishing-resistant authentication including enforcing:
Users use FIDO2 security keys, certificate-based authentication, or Windows Hello for Business
Custom policies that require FIDO2 security keys, including enforcing:
Users use any FIDO2 security keys like YubiKeys to access the environment.
Users use specific YubiKey 5 FIPS series or other models by specifying the exact AAGUIDs. AAGUIDs are the IDs that FIDO2 security key vendors use to uniquely identify their device models.
Custom policies that require certificate-based authentication, including enforcing:
Users use YubiKeys as PIV smart cards to access the environment.
Remember how I said it was a journey? Well, native apps don’t support FIDO2 authentication yet on macOS and iOS. And yes, Android does not support FIDO2 authentication yet. Microsoft has committed to deliver these features, but they aren’t here yet. Nevertheless, we celebrate these great milestones and look forward to when organizations can finally get to passwordless everywhere.
How to get started using YubiKeys with Safari
If your YubiKey does not have a PIN set on it yet, then you will first need to set a PIN since Safari will not support setting the PIN. On iOS, there are not any convenient options to do this. The following steps will use macOS desktop with Yubico Authenticator to set the PIN, but other options exist such as using YubiKey Manager or using Chrome on macOS.
Set a PIN on macOS.
Install Yubico Authenticator on macOS
Open Yubico Authenticator
Insert the YubiKey
Select WebAuthn and select the Configure YubiKey options in the top-right
Select Set PIN
Set the desired PIN and select Save
A FIDO2 PIN is now set on the YubiKey. You can now register the YubiKey with Entra ID. You can now register using Safari on your iPhone, iPad or macOS desktop.
1. Open Safari and go to aka.ms/mysecurityinfo and type in username and select Next.2. Sign-in to your account using an authentication method(s) that is considered multi-factor, here we will use Temporary Access Pass (TAP).
Type in TAP code and select Sign in3.Select + Add sign-in method
4. Select Security key and continue to follow the prompts5.Indicate whether you are using NFC or USB (this also includes Lightning connector)6. Select Security key or simply touch the YubiKey if it is already inserted7. Insert the YubiKey or tap the YubiKey on the back of the phone and type in the PIN8. Scan or insert the YubiKey again and touch it9. Provide a nickname for the YubiKey and select Next10. Select Done11. Verify the new YubiKey is listed as a new authentication method
For more information on how Yubico and Microsoft work together to help organizations prevent phishing with enforced FIDO and Azure AD CBA and YubiKeys on mobile devices, check out our webinar series here.
VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.
The shop that sells yubikeys is https://vaultumcity.com/product-category/yubikey/
Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at https://vaultumcity.com/contact/ whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.
If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.
What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.
Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.