Boost identity protection with Axiad Cloud and Microsoft Entra ID
This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA.
Passwords are a security weakness and phishing attacks to exploit accounts protected by passwords are on the rise. The last 12 months have seen an average of more than 4,000 password attacks per second an almost threefold increase from the previous year, a phishing continues to be the preferred attack method by cybercriminals.1 Clearly, better solutions are needed to help reduce reliance on passwords and increase security. Phishing-resistant multifactor authentication methods like certificate-based authentication (CBA) are proven to increase account security while decreasing reliance on passwords. Microsoft studies found that your account is more than 99.9 percent less likely to be compromised if you use multifactor authentication.2 The power of Axiad Cloud complements Microsoft Azure Active Directory, now Microsoft Entra ID, with Axiad CBA for identity and access management (IAM) to prevent common phishing attacks by provisioning and managing phishing-resistant, passwordless credentials for users everywhere. Together, Axiad and Microsoft enable customers to secure entities, enhancing security and reducing IT complexity.
The rise in cyberattacks
Multifactor authentication fatigue has become increasingly popular among bad actors in recent years. Multifactor authentication fatigue involves flooding user authentication apps with push notification requests to authorize a sign-in. The goal is to frustrate users to the point where they accept one of the approval notifications typically to get the notifications to stop. Once that occurs, the attacker can gain access to the victim’s account. Sometimes these attacks become more sophisticated and add a social engineering or spear phishing component where an attacker will pose as an IT or help desk employee to a targeted victim and ask the victim to approve authentication through an app or ask for the victim’s one-time password (OTP) code. Both techniques can result in an organization losing money and damaging its reputation to remediate the attack.
One example of a high-profile multifactor authentication fatigue attack is the ridesharing platform breach by Lapsus$, a hacking group notorious for their social engineering attacks, that occurred in September 2022. According to an article by Infosecurity Magazine, one of the documents included in the breach may have contained email addresses and information for more than 77,000 employees.3
As IT environments become more complex and multilayered to combat cybersecurity attacks, authentication processes for applications, operating systems, and workplace locations are increasingly managed in silos. This leaves IT teams overwhelmed and organizations vulnerable to the attacks they are working to avoid.
Implementing CISA’s guidance for enhanced security
As bad actors have found ways to bypass some authentication protocols, many organizations are looking to enhance their security with phishing-resistant multifactor authentication. Cybersecurity and Infrastructure Security Agency (CISA) has released guidance for implementing stronger, phishing-resistant multifactor authentication to enhance authentication security and avoid phishing attacks.4 The guidance urges all organizations to implement phishing-resistant multifactor authentication methods, such as CBA. These protocols have additional built-in protections to prevent phishing and resist increasingly automated, sophisticated attacks on authentication processes. The Identity Defined Security Alliance (IDSA) recently created an infographic illustrating the 2022 trends in securing digital identities.5 IDSA found that 96 percent of organizations that have suffered a breach report that it could have been prevented or minimized by implementing identity-related security outcomes. Implementation of phishing-resistant multifactor authentication methods can drastically help reduce that risk.
Axiad recommends organizations implement phishing-resistant multifactor authentication methods. This is one of the simplest steps organizations can take to protect their environments and keep hackers out. Axiad Cloud is a great complement to existing Microsoft Entra ID customers looking to strengthen their security perimeter.
Integrate with Microsoft Entra ID
The power of Axiad Cloud complements Microsoft Entra ID with Axiad CBA for IAM by provisioning and managing phishing-resistant, passwordless credentials for users everywhere. Microsoft customers can leverage Microsoft Entra ID CBA with certificates provisioned and managed by Axiad Cloud. Axiad CBA for IAM can support issuing and managing certificates with a variety of authenticators such as physical smart cards, virtual smart cards, and YubiKeys. The Axiad Cloud-issued user certificates can be used to authenticate Microsoft 365 applications and workstations to protect companies’ most sensitive information and devices. This eliminates the need for multiple forms of authentication and reduces IT complexity. All entities are secured without using passwords or shared secrets, so the authentication process is secure from end to end.
This joint solution offers the following benefits:
Passwordless multifactor authentication: Provisions multiple types of authenticators that do not rely on a password or push notification that can easily be intercepted or compromised and supports phishing-resistant authentication as recommended by CISA.
Consolidated view: Provides administrators and users with a consolidated view of all authenticators and helps manage them from Axiad MyIdentities, which uniquely provides visibility into all user authenticators, including Microsoft Authenticator, Windows Hello for Business, OTP codes, and security keys. All authenticators and credentials can be managed with the Axiad Unified Portal. The portal provides administrators and users, the ability to provision credentials through a number of delivery workflows.
Self-service: Empowers self-service by enabling the workforce to issue department-level credential resets with Axiad MyCircle, thereby avoiding temporary passwords and reducing user friction. This improves user experience and reduces calls to the IT help desk for credential resets.
Increased efficiency: Replaces the use of multiple tools for enterprise deployment, management, and support of authenticators and credentials with Axiad Airlock. Organizations can automate multifactor authentication processes and checklists (for example, enforcing initial smart card setup and renewal) before an employee can gain full access to systems. Axiad Airlock allows organizations to streamline provisioning authenticators and credentials. Organizations can provide self-service credential lifecycle management including account recovery (replacement, temporary credentials, and PIN resets), expirations, renewals, and more.
With these benefits, CBA is increasingly deployed in the public sector. The majority of federal agency and defense employees and contractors use a Personal Identity Verification (PIV) card or Common Access Card (CAC), which are both forms of smart cards used for authentication. CBA simplifies the process of authenticating to Microsoft Entra ID using PIV- or CAC-based smart cards and meets the federal government’s requirement to move to phishing-resistant multifactor authentication solutions.
To further support Microsoft users on their journey to passwordless, Axiad is also an active member of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors and managed security service providers that have integrated their solutions with Microsoft Security products to better defend against a world of increasing threats. Through working in MISA, and with Microsoft product teams, Axiad is fully committed to aligning with Microsoft’s vision for securing customers’ environments with the best solutions possible.
Support cloud migration
Microsoft has recently advised their customers with on-premises Active Directory Federation Services (AD FS) to migrate to cloud-based Microsoft Entra ID for identity and access management. This helps customers to authenticate to Microsoft services directly against Microsoft Entra ID and eliminates the need for federated AD FS. This allows customers to simplify infrastructure and improve costs, security, and scalability. But how do customers ensure secure CBA remains intact while migrating to the cloud?
Customers can enable cloud migration by using the same certificate issued by Axiad Cloud to authenticate to on-premises resources protected by AD FS, and Microsoft 365 services by leveraging Microsoft Entra ID CBA. Axiad Cloud credentials used by AD FS to authenticate on-premises resources can continue to be used as applications are migrated to authenticate to Microsoft Entra ID. This provides flexibility in a cloud migration strategy and deployment. Users will also have the same authentication experience during the migration process as the same Axiad Cloud-issued credential will be used for authentication. This supports CBA across Microsoft 365 services.
Overall, this joint solution supports authentication needs across an enterprise environment. Together, these products can manage a broad range of phishing-resistant authenticators ranging from enterprise-grade mobile-based to government-grade compliant approaches. By creating a consolidated authentication experience across devices, authenticators, and locations, the solution both enhances security and reduces user friction. Axiad CBA for IAM helps organizations migrate to Microsoft Entra ID more rapidly or operate a hybrid Azure AD and on-premises active directory environment by keeping secure certificate-based authentication intact during the migration process.
Learn more about how Axiad Cloud, with Microsoft Entra ID, allows organizations to protect and easily authenticate to Microsoft 365 applications by visiting their website.
For more information about Axiad’s support of Microsoft Entra ID, visit the Azure Marketplace.
Microsoft Entra ID
New name, same powerful capabilities: Azure Active Directory is becoming Microsoft Entra ID.
Learn more
To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID, Joy Chik. July 11, 2023.
2Your Pa$$word doesn’t matter, Alex Weinert. July 9, 2019.
3Uber Hit By New Data Breach After Attack on Third-Party Vendor, Alessandro Mascellino. December 13, 2022.
4More than a Password, CISA.
52022 Trends in Securing Digital Identities, IDSA. 2022.