Laura Hyde |
Microsoft has made FIDO2-standard provisioning APIs for Entra ID available for public preview.
The new APIs, which work with both hardware FIDO2 keys and virtual FIDO2 security keys, allow organisations to handle provisioning for users, rather than users registering their own security keys.
“Adopting phishing-resistant authentication is critical – attackers have increased their use of adversary-in-the-middle phishing and social engineering attacks to target MFA (multi-factor authentication)-enabled users,” said Alex Weinert of Microsoft’s Identity Division in a post about the new APIs on the Microsoft website. “Phishing-resistant authentication methods, including passkeys, certificate-based authentication (CBA), and Windows Hello for Business, are the best ways to protect from these attacks.”
Microsoft has collaborated with 10 certificate management system vendors to integrate the new FIDO2 provisioning APIs into their solutions.
One of those is HYPR, whose Identity Assurance Platform provides passwordless MFA. “Users simply pair their Windows workstation with HYPR and the passkey is automatically added to their Entra profile,” said Martin Gallo, senior product manager at HYPR, in an article about the partnership on the HYPR website. “HYPR Enterprise Passkeys work in both fully Entra-joined and hybrid-joined environments, with multiple transport options for greater flexibility.”
HYPR is one of 10 certificate management system provides to integrate the new APIs (image courtesy of HYPR)
“This partnership underscores our commitment to delivering a secure and interoperable ecosystem for our customers,” said Tim Larson, Microsoft’s senior product manager for Microsoft Entra. “Their involvement has been instrumental in ensuring that the APIs are robust, versatile, and ready for real-world challenges.”
This latest release follows Microsoft’s expansion of passkey support in Microsoft Entra ID in May, when it introduced device-bound passkey support in Microsoft Authenticator.