Thales Blog

Thales and Microsoft partner to provide Azure customers with FIDO and CBA phishing-resistant authentication

October 13, 2022

Sarah Lefavrais Sarah Lefavrais | IAM Product Marketing Manager More About This Author >

The accelerating digital transformation of organizations around the world and the adoption of a hybrid workforce have exposed essential systems and sensitive data to rising cyber threats. The impact and cost of cyber-attacks have skyrocketed, driving the need for better identity protection with phishing-resistant Multi-Factor Authentication (MFA).

Strong, phishing-resistant MFA now at the center of government cybersecurity recommendations

Around the world, government cybersecurity agencies are increasing their requirements and recommending the use of phishing-resistant authentication methods.
In 2021, to help protect the United States from increasing cyber threats, the White House issued an Executive Order (EO 14028) with the goal of improving security in the Federal Government. By 2024, Federal agencies must enforce MFA to access federal systems, using phishing-resistant authentication methods such as Certificate Based Authentication (CBA), using Personal Identity Verification (PIV) cards or derived PIV, and FIDO2 authentication based on WebAuthn standard.

In February 2022, the European Union Agency for Cybersecurity (ENISA) released a guideline “Boosting your organization’s cyber resilience” which recommends organizations to protect all remotely accessible services with multi-factor authentication (MFA). It advises that organizations should consider “deploying phishing-resistant tokens such as smart cards and FIDO2 security keys.”

Microsoft Azure Certificate-Based Authentication Support

As a response to the Executive Order 14028 and to help customers adhere to NIST guidelines around Zero Trust, Microsoft recently announced the general availability of Azure AD Certificate-Based Authentication (CBA). Now, Azure AD users can authenticate using X.509 certificates on their smartcards or devices directly against Azure AD for browser and application sign-in.

Since phishing remains one of the most common threats to organizations, it continues to be a critical threat to defend against. Azure AD cloud-native CBA demonstrates Microsoft’s commitment to the federal Zero Trust strategy and helps government organizations implement the most prominent phishing-resistant MFA to meet EO/NIST requirements.”

Thales phishing-resistant certificate-based and FIDO2 Authenticators

With more than 25 years of experience in MFA and authentication, Thales is a passwordless authentication expert. Member of the Microsoft Intelligent Security Association (MISA), we protect identities everywhere - including the Microsoft Ecosystem.

Thales offers strong phishing-resistant authenticators in traditional credit smart card and USB form factors. Thanks to our X.509 certificate-based PKI USB tokens , smart cards, and FIDO2 devices, Organizations can secure access to a large variety of sensitive resources:

Protect SaaS Apps


Since the majority of users re-use their passwords across apps, you can improve security and reduce calls to the helpdesk, by equipping users with FIDO2 authenticators. Thales FIDO2 devices are fully compatible with Azure AD and ensure secure access to Azure AD managed applications.

Windows PC and Network Login

FIDO2 devices provide passwordless MFA, enabling users to securely access Windows PCs and tablets.


Combined FIDO-PKI cards offer a single device for securely logging into any OS, including Windows 10 and 8, Windows Server OS, MacOS, and Linux. This means that organizations can use Thales FIDO-PKI devices to support both FIDO and PKI authentication and digital signature needs.

Meet stringent compliance mandates

Thales combined FIDO-PKI smart cards let you meet all your regulatory needs. They are compliant with NIST regulations, are Common Criteria (CC) certified, and FIPS 140-2 (pending for NIST Review) and are ANSSI qualified for the Java platform and the PKI applet. They also meet eIDAS regulations for both eSignature and eSeal applications.

Extend modern authentication to PKI Environments

Organizations that rely on PKI authentication can now use a combined PKI-FIDO smart card to facilitate their cloud and digital transformation initiatives by providing their users with a single authentication device for securing

Physical-Logical access

For optimum convenience, Thales FIDO smart cards support physical access enabling users to access both physical spaces and logical resources with a single customizable smart card.

Combine Microsoft Azure AD with Thales authenticators to reduce security breaches and meet US / EU regulations


With the new Azure AD cloud-native CBA support, Microsoft customers can use Thales X.509 certificate-based Tokens , Smart cards, and FIDO2 devices for all their identity protection needs. By supporting multiple use cases (PKI, CBA, FIDO2 authentication, physical access) in a single device, Thales allows organizations to extend high assurance access to the cloud while building on their existing environments.

To promote this technological partnership and by mutual agreement with Microsoft, Thales has launched a new, modern design for its FIDO2 USB keys, white colored with the Microsoft Security logo on one side. Contact us for a free sample.

You can also learn more about Thales FIDO2 Authentication for Azure AD in our solution brief, or watch this on-demand webinar to understand how to kick off your passwordless FIDO Journey with Thales and Microsoft.

Finally, to understand how to comply with US Government Zero Trust Strategy thanks to Microsoft and Thales, look at this on demand webinar.

Related Articles

No Result Found