Microsoft Entra ID Enhances Security with FIDO2 Provisioning APIs for Simplified Onboarding

Published: Sep 05, 2024

Network Security

SHARE ARTICLE

Key Takeaways:

  • Microsoft Entra ID has introduced FIDO2 provisioning APIs that allow administrators to pre-configure security keys for users.
  • The update aims to strengthen defenses against phishing and social engineering attacks.
  • Microsoft has partnered with top CMS providers to ensure their platforms support the new FIDO2 provisioning APIs.

Microsoft Entra ID has released FIDO2 provisioning APIs in public preview, allowing administrators to pre-configure security keys for employees. This update aims to simplify the onboarding process and strengthen defenses against phishing attacks.

Microsoft emphasizes the need for businesses to adopt phishing-resistant methods, such as passkeys and certificate-based authentication (CBA), to safeguard users from Adversary-in-the-Middle (AitM) phishing and social engineering attacks. Previously, users had to manage the registration of their own security keys, but that is no longer the case.

“While customers can still deploy security keys in their default configuration to their users, or allow users to bring their own security keys which requires self-service registration by a user, the APIs allow keys to be pre-provisioned for users, so users have an easier experience on first use,” Microsoft explained.

How does Entra ID FIDO2 provisioning work?

Microsoft has updated the FIDO2 passkey APIs to enable administrators to request data from Entra ID (formerly Azure Active Directory) needed to create a WebAuthn credential. This data can then be used to generate and register a passkey that allows users to authenticate without a password.

Microsoft Entra ID Enhances Security with FIDO2 Provisioning APIs for Simplified Onboarding
Steps required to register a security key (Image Credit: Microsoft)

Microsoft has also collaborated with 10 leading Credential Management System (CMS) providers to ensure that their platforms support the FIDO2 provisioning APIs. These include Yubico, Versasec, Axiad, HID, Selectec, Thales, and more.

Microsoft Entra admin center to add more provisioning features

In recent years, Microsoft has been improving its FIDO2 passkey capabilities and plans to add more features for passkey provisioning soon. The goal is to integrate these new capabilities into the Entra admin center, allowing administrators to manage and provision FIDO2 security keys directly for employees.

Microsoft advises IT administrators to reach out to their CMS provider for details on how their platforms integrate with the Microsoft Entra ID FIDO2 Provisioning APIs. If you’re interested, we invite you to check out this support page for more information on enabling passkeys (FIDO2) for your organization.

SHARE ARTICLE