15 Dec 2023
Are you trying to secure your organization with phishing-resistant credentials but are confused by all the options? You have come to the right place! In this post, I will explain if Certificate-Based Authentication is considered MFA as well as the different types of phishing-resistant credentials you can set up in Entra ID.
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is any type of authentication that depends on at least two different types of factors to authenticate a user. This protects against attacks where the attacker compromises one factor but not other factors.
But what do we mean by factors? Authentication factors (all of them, certificate, password, fingerprint, etc.) can be boiled down two three types: something you know (for example, a password, or a PIN), something you have (for example, a YubiKey, smartcard, phone, or PC) and something you are (for example, fingerprint, face ID, iris scan, etc.). So, simply put, multifactor authentication requires two out of the three ways to authenticate.
Is Certificate Authentication Multi-Factor Authentication?
Now to the question of whether certificate authentication is multifactor, and the answer (as with everything in cybersecurity) is: it depends. While certificate-based authentication is one of the most secure ways to authenticate due to the dependency on hard-to-brute-force cryptographic keys, how you protect the private key is what ultimately defines if CBA is MFA. Looking back at the MFA authentication factors, the certificate counts as something you have (the place where the certificate is stored; for example, the YubiKey, the computer if you are pushing it using Intune SCEP, or another MDM or using Windows Hello For Business), if the certificate is protected by another factor such as a PIN (something you know), or a biometric factor such as fingerprint or face ID (something you are), then it is considered MFA. On the other hand, if you can just use the certificate from, for example, the Windows certificate store, then it is considered to be single-factor.
Why Does Entra CBA Have Both Multi-Factor and Single Factor Authentication?
When you are setting up Entra CBA, you probably saw that it has the option to set up certificate authentication as either as a multi-factor authentication method or as a single factor authentication method. The reason for that is because, when you authenticate with a certificate, Entra ID does not know how you are protecting the hardware key of that certificate; therefore, it gives you the ability to define whether to treat the certificates issued by each certificate authority as either a single factor or multifactor authentication.
TL;DR: if your certificates are protected by either a PIN or a biometric factor, set Entra CBA for that CA as multi-factor, otherwise set it as single factor. This will tell Entra ID to ask for a second factor when the user uses a certificate for authentication.
Is Certificate Authentication Phishing-Resistant?
The next question we usually get asked is, “Is CBA phishing resistant?” The answer is mostly yes, but it depends on how you protect your key; if the certificate is protected by a hardware that makes it impossible to export the key (such as a YubiKey, Smartcard, or TPM), then certificate-based authentication is considered phishing resistant since the attacker cannot steal the private key of the certificate.
You Might Also Want to Read
FAQs
Looking back at the MFA authentication factors, the certificate counts as something you have (the place where the certificate is stored; for example, the YubiKey, the computer if you are pushing it using Intune SCEP, or another MDM or using Windows Hello For Business), if the certificate is protected by another factor ...
Does a certificate count as MFA? ›
If one policy OID binds to MFA, all user certificates that include this policy OID as one of the OIDs (A user certificate could have multiple policy OIDs) qualify as MFA. One certificate issuer can only have one valid strong authentication binding (that is, a certificate can't bind to both single-factor and MFA).
Is cert-based authentication MFA? ›
Certificate-based multi-factor authentication in conjunction with a Trusted Platform Module (TPM), is more secure than token- and SMS-based MFA methods alone. No additional hardware needed.
Do security questions count as MFA? ›
When to Use Security Questions. Applications should generally use a password along with a second authentication factor (such as an OTP code) to authenticate users. The combination of a password and security questions does not constitute MFA, as both factors as the same (i.e. something you know)..
What does not count as a form of MFA? ›
Proper multi-factor authentication uses factors from at least two different categories. Using two from the same category does not fulfill the objective of MFA. Despite wide use of the password/security question combination, both factors are from the knowledge category--and don't qualify as MFA.
Is a certificate an authentication factor? ›
Authentication factors (all of them, certificate, password, fingerprint, etc.) can be boiled down two three types: something you know (for example, a password, or a PIN), something you have (for example, a YubiKey, smartcard, phone, or PC) and something you are (for example, fingerprint, face ID, iris scan, etc.).
Do certificates count as credentials? ›
The term credential encompasses educational certificates, degrees, certifications, and government-issued licenses.
What counts as MFA? ›
Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.
How effective is certificate-based authentication? ›
Certificate-based authentication enhances system security by using digital certificates to verify the identity of users or devices. These certificates are difficult to forge and provide a higher level of assurance compared to passwords.
What is certificate authentication? ›
Certificate-based authentication is the process of establishing your identity using electronic documents known as digital certificates. A digital certificate is like an electronic passport used to prove your identity by confirming your ownership of a private key. Digital certificates contain: Identification data.
The biggest difference between passwordless authentication and MFA is that passwordless authentication eliminates the use of passwords. This differs from MFA which is used in conjunction with a username and password. When MFA is enabled on an account, users still have to enter their username and password.
Is biometrics considered MFA? ›
The unique characteristics of biometric traits, coupled with convenience, heightened resistance to attacks, and improved user experience, position biometrics as a strong and secure component in the MFA process.
Does SSO count as MFA? ›
SSO and the MFA Requirement. On its own, a single sign-on (SSO) solution doesn't satisfy the MFA requirement. If your Salesforce products are integrated with SSO, make sure MFA is enabled for all your Salesforce users. For help, check out these answers to common questions about SSO and the MFA requirement.
Is email OTP considered MFA? ›
OTP is a form of multi-factor authentication (MFA) designed to make it much harder for hackers to access protected information. MFAs require additional credentials beyond a simple password before the end user can gain access to an application or system.
Is Microsoft authenticator considered MFA? ›
Microsoft Authenticator for iOS
All Microsoft Entra authentications using phishing-resistant device-bound passkeys, push multifactor authentications (MFA), passwordless phone sign-in (PSI), and time-based one-time passcodes (TOTP) use the FIPS cryptography.
What is not an example of multi-factor authentication? ›
Voice-print authentication is not considered multi-factor authentication.
What qualifies as MFA? ›
Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.
Can a certificate be considered a degree? ›
While certificates do not result in a degree, they are also awarded at undergraduate and graduate levels. And, you may even transfer credits earned from a certificate into a degree program. A few examples of the many certificates available include: Accounting Certificate.
Is a graduate certificate considered a Masters? ›
A graduate certificate is not considered a graduate degree, like a master's or doctoral degree. However, it can provide a strong foundation for future study that results in a graduate degree. The credits earned in a graduate certificate program may satisfy requirements for entry into certain graduate programs.
Can certificates be used for authentication? ›
Certificates allow users to be authenticated without having to remember several username and password combinations. Users often spend considerable time guessing and resetting passwords when they have many to remember.
