Thales Blog

Azure AD and Thales support for CBA authentication reflects the growing value of high assurance MFA

March 31, 2022

Tammy Wood Tammy Wood | Sr. Marketing Manager, Public Sector More About This Author >

To help protect the United States from increasingly sophisticated cyber threats, the White House issued Executive Order (EO) 14028 in May 2021 to modernize Federal Government cybersecurity, enhance the software supply chain, and improve detection of cybersecurity vulnerabilities and incidents on federal government networks. The EO requires US Federal Government organizations to take the necessary actions to strengthen and improve national cybersecurity by adopting “cloud first” technology with an Endpoint Detection and Risk (EDR) initiative to secure cloud services and implement a Zero Trust architecture. The EDR initiative relies on Multi-factor Authentication (MFA) as a critical component to protect against cyber threats such as ransomware.

Microsoft Azure CBA Feature

As a response to the EO and to help customers adhere to NIST guidelines around Zero Trust, Microsoft Azure recently announced the release of cloud-native certificate-based authentication (CBA) across commercial and US Government Clouds. Now, Azure AD users can authenticate using X.509 certificates on their smartcards or devices directly against Azure AD for browser and application sign-in.

Since phishing remains one of the most common threats to organizations, it continues to be a critical threat to defend against. Cloud-native CBA demonstrates Microsoft’s commitment to the federal Zero Trust strategy and helps government organizations implement the most prominent phishing-resistant MFA to meet EO/NIST requirements.

With the new Azure AD cloud-native CBA support, Microsoft customers can use Thales’s dedicated PKI and all-in-one PKI/FIDO smart cards or USB authenticators with SafeNet Authentication Client (SAC) as middleware and vSEC as CMS for smart card/token and certificate life cycle management to authenticate applications using MS Azure natively and eliminate the need for additional on-premises infrastructure such as ADFS.

Thales PKI and FIDO 2 Smart Cards

Thales is a Passwordless authentication expert. We protect identities everywhere -- including the Microsoft ecosystem. Thales's range of FIDO 2 and certificate-based smart cards offer strong MFA in traditional credit card and USB form factors to enable organizations to address their need for high assurance access security. Thales's smart cards offer a converged all-in-one solution for X.509 PKI and FIDO 2 strong authentication enabling remote access to cloud and web services, network logon, secure access to RDP and virtual environments, digital signature and email encryption with a single device.

With more than 25 years of experience in MFA and authentication, Thales enables organizations to comply with EO 14028 by strengthening their authentication capabilities with Thales’s dedicated PKI and all-in-one PKI/FIDO authenticators. Thales provides the largest set of authentication methods worldwide including FIDO authenticators, X.509 PKI certificate-based USB tokens and smart cards, a high-scoring authenticator app with phone tokens for all mobile platforms, hardware and software OTP tokens, Biometrics, PINs and OOB.

By protecting each of your access points, Thales protects your entire business. All it takes for your business to be compromised is one machine, application, or cloud connection to be unprotected. Thales doesn’t leave you exposed.

Combine MS Azure - Thales Product Offering

With the announcement of the cloud-native CBA feature in Azure, Microsoft customers can now take advantage of Thales’s portfolio of X.509 certificate-based and FIDO 2 authentication devices to ensure secure access to cloud and on-premises apps managed by Azure-AD. The combined capabilities of PKI and FIDO 2 authentication in a single authentication device allow organizations to extend high assurance access security to the cloud while building on their existing PKI environments.

Learn how you can reduce risk to your Windows logon and SaaS applications with FIDO passwordless authentication using multi factor-authentication (MFA) hardware devices. You can also watch our on-demand webinar to understand how to kick off your passwordless FIDO Journey with Thales and Microsoft.