Device-bound Passkeys on mobile devices now used for Authentication

Hello everyone, how many times have you forgotten your keys when you left your home?

How many times have you forgotten your Mobile Phone when you left your home? Well, not many times, right ?  The Mobile Phone is an integral part of your life now!

The good news is, beginning January 2024, Microsoft Entra ID has started to support device-bound passkeys stored on computers and mobile devices as an authentication method in  the public preview, in addition to the existing support for FIDO2 security keys. This enables your users to perform phishing-resistant authentication using the devices that they already have.

All of us know the function of the Microsoft  Authenticator app, but just a one-line to revise it up. The Microsoft Authenticator App is the flagship authentication credential that allows you to authenticate with your mobile device wherever you go. This authentication method is constantly evolving for the good to support enterprises. One such evolution is what this blog is all about.

Phishing-resistant Microsoft Authenticator

I am excited to share with you all that the Microsoft Authenticator is going Phishing Resistant to combat the Attacker-in-the-middle-Attacks.

Over the times, feedbacks have been shared in the need for Device Bound phishing resistant credentials. Accounts that are assigned highly privileged administrative rights are the frequent targets of attackers. Requiring phishing-resistant multifactor authentication (MFA) on those accounts, is an easy way to reduce the risk of those accounts being compromised.

Now the MS AuthenticatorApp is going to fulfill this requirement by leveraging the Device Bound passkeys.

It will be available on Android 14+ and iOS 17+ devices.

Also to mention, this will continue to evolve and be updated with the latest security  enhancements to the FIDO Standard.

How to Set-Up the Phishing Resistant Aunthenticator?

All my Admin colleagues out here! can login to the MEM Portal and Create a Conditional Access Policy with below  Grant Settings:

 

Set-up For the End-User:

Scenario 1: The user wants to login to the MS-Office app.

1. The user needs to set up the Phishing Microsoft Authenticator App.
2. For this, download the app from the Google Play Store or Apple App Store.
3. The user goes through the First Run experience in the app and taps on Work or School Account. At first, the user completes the sign-in.
4. Once signed-in, the authenticator app checks the policies and knows that the user can register a Passkey in the MS-Authenticator App.
5. The user then goes through the PasssKey creation process and uses the Face-ID or PIN to prove ownership of the device.
6. Simply, now the user’s account is added to the MS Authetnicator App.
7. The user has been registered for the Passkey alongwith the other traditional known methods for credentials such as password-less phone sign-in.
8. The user can now navigate to the account view and look at the details of his passkey in the app .

Usage by End-User:

• So, once the Passkey is set up, the user is all set to sign-in to the Office application and access it on his Mobile device.
• For this, the user navigates for the Office app in his mobile phone, and enters his username-
• He is prompted to sign-in with Face/Finger-Print/device PIN.
• After this, the OS prompts will take over.
• The user will use his Face ID  to successfully use the Passkey that was stored in the authenticator app and will be signed in to the Office. Additonally, the user can also utilise this Passkey to sign-in to other Microsoft Apps on the same device.

Scenario 2: In addition to  signing in to the app to set up his Paskey,, the user can also register the passkey in this MS-Authenticator app from a different device,  leveraging cross device authentication flows.

More Information can be found here:

• What’s new in Microsoft Entra – Microsoft Community Hub
• Require phishing-resistant multifactor authentication for Microsoft Entra administrator roles – Microsoft Entra ID | Microsoft Learn
• Overview of Microsoft Entra authentication strength – Microsoft Entra ID | Microsoft Learn

 

Stay Tuned to our blogs for more such updated information. As I always say, ‘The Fastest Way To Learn & Retain Any Skill Is -To Teach It !

Author: Salona Sahni Kapoor aka #Intunesiastic

cubic solutions GmbH