Published: Sep 05, 2024
Key Takeaways:
Microsoft Entra ID has released FIDO2 provisioning APIs in public preview, allowing administrators to pre-configure security keys for employees. This update aims to simplify the onboarding process and strengthen defenses against phishing attacks.
Microsoft emphasizes the need for businesses to adopt phishing-resistant methods, such as passkeys and certificate-based authentication (CBA), to safeguard users from Adversary-in-the-Middle (AitM) phishing and social engineering attacks. Previously, users had to manage the registration of their own security keys, but that is no longer the case.
“While customers can still deploy security keys in their default configuration to their users, or allow users to bring their own security keys which requires self-service registration by a user, the APIs allow keys to be pre-provisioned for users, so users have an easier experience on first use,” Microsoft explained.
Microsoft has updated the FIDO2 passkey APIs to enable administrators to request data from Entra ID (formerly Azure Active Directory) needed to create a WebAuthn credential. This data can then be used to generate and register a passkey that allows users to authenticate without a password.
Microsoft has also collaborated with 10 leading Credential Management System (CMS) providers to ensure that their platforms support the FIDO2 provisioning APIs. These include Yubico, Versasec, Axiad, HID, Selectec, Thales, and more.
In recent years, Microsoft has been improving its FIDO2 passkey capabilities and plans to add more features for passkey provisioning soon. The goal is to integrate these new capabilities into the Entra admin center, allowing administrators to manage and provision FIDO2 security keys directly for employees.
Microsoft advises IT administrators to reach out to their CMS provider for details on how their platforms integrate with the Microsoft Entra ID FIDO2 Provisioning APIs. If you’re interested, we invite you to check out this support page for more information on enabling passkeys (FIDO2) for your organization.