Merge pull request #216223 from Justinha/cba-mobile

added iOS update for YubiKey

Author: Court72

articles/active-directory/authentication/concept-certificate-based-authentication-mobile-android.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 10/05/2022
+ms.date: 10/27/2022
 
 ms.author: justinha
 author: vimrang
@@ -61,6 +61,107 @@ Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are
 
 To determine if your email application supports Azure AD CBA, contact your application developer.
 
+## Support for certificates on hardware security key (preview)
+
+Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access. Azure AD supports CBA with YubiKey.  
+
+### Advantages of certificates on hardware security key 
+
+Security keys with certificates:  
+
+- Has the roaming nature of security key, which allows users to use the same certificate on different devices 
+- Are hardware-secured with a PIN, which makes them phishing-resistant 
+- Provide multifactor authentication with a PIN as second factor to access the private key of the certificate 
+- Satisfy the industry requirement to have MFA on separate device 
+- Help in future proofing where multiple credentials can be stored including Fast Identity Online 2 (FIDO2) keys. 
+
+### Azure AD CBA on Android mobile 
+
+Android needs a middleware application to be able to support smartcard or security keys with certificates. To support YubiKeys with Azure AD CBA, YubiKey Android SDK has been integrated into the Microsoft broker code which can be leveraged through the latest MSAL 
+
+### Azure AD CBA on Android mobile with YubiKey 
+
+Since Azure AD CBA with YubiKey on Android mobile is enabled via the latest MSAL, YubiKey Authenticator app is not a requirement for Android support. 
+
+Steps to test YubiKey on Microsoft apps on Android: 
+
+1. Install the latest Microsoft Authenticator app.
+1. Open Outlook and plug in your YubiKey. 
+1. Select **Add account** and enter your user principal name (UPN).
+1. Click **Continue**. A dialog should immediately pop up asking for permission to access your YubiKey. Click **OK**. 
+1. Select **Use Certificate or smart card**. A custom certificate picker will appear. 
+1. Select the certificate associated with the user’s account. Click **Continue**. 
+1. Enter the PIN to access YubiKey and select **Unlock**. 
+
+The user should be successfully logged in and redirected to the Outlook homepage. 
+
+>[!NOTE]
+>For a smooth CBA flow, plug in YubiKey as soon as the application is opened and accept the consent dialog from YubiKey before selecting the link **Use Certificate or smart card**. 
+
+### Troubleshoot certificates on hardware security key
+
+#### What will happen if the user has certificates both on the Android device and YubiKey? 
+
+- If the user has certificates both on the android device and YubiKey, then if the YubiKey is plugged in before user clicks **Use Certificate or smart card**, the user will be shown the certificates in the YubiKey.  
+- If the YubiKey is not plugged in before user clicks **Use Certificate or smart card**, the user will be shown all the certificates on the device. The user can **Cancel** the certificate picker, plug in the YubiKey, and restart the CBA process with YubiKey. 
+
+#### My YubiKey is locked after incorrectly typing PIN three times. How do I fix it? 
+
+- Users should see a dialog informing you that too many PIN attempts have been made. This dialog also pops up during subsequent attempts to select **Use Certificate or smart card**.
+- [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) can reset a YubiKey’s PIN. 
+
+#### I have installed Microsoft authenticator but still do not see an option to do Certificate based authentication with YubiKey 
+
+Before installing Microsoft Authenticator, uninstall Company Portal and install it after Microsoft Authenticator installation. 
+
+#### Does Azure AD CBA support YubiKey via NFC? 
+
+This feature currently only supports using YubiKey with USB and not NFC. We are working to add support for NFC. 
+
+#### Once CBA fails, clicking on the CBA option again in the ‘Other ways to signin’ link on the error page fails. 
+
+This issue happens because of certificate caching. We are working to add a fix to clear the cache. As a workaround, clicking cancel and restarting the login flow will let the user choose a new certificate and successfully login. 
+
+#### Azure AD CBA with YubiKey is failing. What information would help debug the issue? 
+
+1. Open Microsoft Authenticator app, click the three dots icon in the top right corner and select **Send Feedback**.
+1. Click **Having Trouble?**.
+1. For **Select an option**, select **Add or sign into an account**. 
+1. Describe any details you want to add. 
+1. Click the send arrow in the top right corner. Note the code provided in the dialog that appears. 
+
+### Known Issues 
+
+- Sometimes, plugging in the YubiKey and providing permission via the permission dialog and clicking **Use Certificate or smart card** will still take the user to on-device CBA picker pop up (instead of the smart card CBA picker). The user will need to cancel out of the picker, unplug their key, and re-plugin their key before attempting to sign in again.  
+- With the Most Recently Used (MRU) feature, once a user uses CBA for authentication, MRU auth method will be set to CBA. Since the user will be directly taken into CBA flow, there may not be enough time for the user to accept the Android USB consent dialog. As a workaround user needs to remove and re-plugin the YubiKey, accept the consent dialog from YubiKey then click the back button and try again to complete CBA authentication flow.  
+- Azure AD CBA with YubiKey on latest Outlook and Teams fail at times. This could be due to a keyboard configuration change when the YubiKey is plugged in. This can be solved by:
+  - Plug in YubiKey as soon as the application is opened.  
+  - Accept the consent dialog from YubiKey before selecting the link **Use Certificate or smart card**. 
+
+### Supported platforms
+
+- Applications using the latest Microsoft Authentication Library (MSAL) or Microsoft Authenticator can do CBA 
+- Microsoft first-party apps with latest MSAL libraries or Microsoft Authenticator can do CBA 
+
+#### Supported operating systems
+
+|Operating system | Certificate on-device/Derived PIV |    Smart cards        |
+|:----------------|:---------------------------------:|:---------------------:|
+| Android         | ✅                          | Supported vendors only|
+
+#### Supported browsers
+
+|Operating system | Chrome certificate on-device | Chrome smart card | Safari certificate on-device | Safari smart card | Edge certificate on-device | Edge smart card |
+|:----------------|:---------------------------------:|:---------------------:|:---------------------------------:|:---------------------:|:---------------------------------:|:---------------------:|
+| Android             |  ✅                          | ❌|N/A                          | N/A |  ❌                          | ❌|
+
+### Security key providers
+
+|Provider            |                  Android           |
+|:-------------------|:------------------------------:|
+| YubiKey            |              ✅          | 
+
+
 ## Next steps
 
 - [Overview of Azure AD CBA](concept-certificate-based-authentication.md)

articles/active-directory/authentication/concept-certificate-based-authentication-mobile-ios.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 10/05/2022
+ms.date: 10/27/2022
 
 ms.author: justinha
 author: vimrang
@@ -34,16 +34,6 @@ Azure AD CBA is supported for certificates on-device on native browsers and on M
 
 On-device certificates are provisioned on the device. Customers can use Mobile Device Management (MDM) to provision the certificates on the device. Since iOS doesn't support hardware protected keys out of the box, customers can use external storage devices for certificates.
 
-## Advantages of external storage for certificates
-
-Customers can use external security keys to store their certificates. Security keys with certificates: 
-
-- Enable the usage on any device and doesn't require the provision on every device the user has
-- Are hardware secured with a PIN, which makes them phishing resistant
-- Provide multifactor authentication with a PIN as second factor to access the private key of the certificate in the key
-- Satisfy the industry requirement to have MFA on separate device
-- Future proofing where multiple credentials can be stored including FIDO2 keys
-
 ## Supported platforms
 
 - Only native browsers are supported 
@@ -57,10 +47,6 @@ Customers can use external security keys to store their certificates. Security k
 |--------|---------|------|-------|
 |❌ | ❌ | ✅ |❌ |
 
-### Vendors for External storage
-
-Azure AD CBA will support certificates on YubiKeys. Users can install YubiKey authenticator application from YubiKey and do Azure AD CBA. Applications that don't use latest MSAL libraries need to also install Microsoft Authenticator.
-
 ## Microsoft mobile applications support
 
 | Applications | Support | 
@@ -83,6 +69,93 @@ On iOS 9 or later, the native iOS mail client is supported.
 
 To determine if your email application supports Azure AD CBA, contact your application developer.
 
+## Support for certificates on hardware security key (preview)
+
+Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access. 
+Microsoft's mobile certificate-based solution coupled with the hardware security keys is a simple, convenient, FIPS (Federal Information Processing Standards) certified phishing-resistant MFA method. 
+
+As for iOS 16/iPadOS 16.1, Apple devices provide native driver support for USB-C or Lightning connected CCID-compliant smart cards. This means Apple devices on iOS 16/iPadOS 16.1 will see a USB-C or Lightning connected CCID-compliant device as a smart card without the use of additional drivers or 3rd party apps. Azure AD CBA will work on these USB-A or USB-C, or Lightning connected CCID-compliant smart cards. 
+
+
+### Advantages of certificates on hardware security key 
+
+Security keys with certificates:  
+
+- Can be used on any device, and don't need a certificate to be provisioned on every device the user has 
+- Are hardware-secured with a PIN, which makes them phishing-resistant 
+- Provide multifactor authentication with a PIN as second factor to access the private key of the certificate 
+- Satisfy the industry requirement to have MFA on separate device 
+- Help in future proofing where multiple credentials can be stored including Fast Identity Online 2 (FIDO2) keys 
+
+### Azure AD CBA on iOS mobile with YubiKey 
+
+Even though the native Smartcard/CCID driver is available on iOS/iPadOS for Lightning connected CCID-compliant smart cards, the YubiKey 5Ci Lightning connector is not seen as a connected smart card on these devices without the use of PIV (Personal Identity Verification) middleware like the Yubico Authenticator.  
+
+### One-time registration prerequisite
+
+- Have a PIV-enabled YubiKey with a smartcard certificate provisioned on it
+- Download the [Yubico Authenticator for iOS app](https://apps.apple.com/app/yubico-authenticator/id1476679808) on your iPhone with v14.2 or later
+- Open the app, insert the YubiKey or tap over near field communication (NFC) and follow steps to upload the certificate to iOS keychain 
+
+### Steps to test YubiKey on Microsoft apps on iOS mobile 
+
+1. Install the latest Microsoft Authenticator app.
+1. Open Outlook and plug in your YubiKey. 
+1. Select **Add account** and enter your user principal name (UPN).
+1. Click **Continue** and the iOS certificate picker will appear. 
+1. Select the public certificate copied from YubiKey that is associated with the user’s account.  
+1. Click **YubiKey required** to open the YubiKey authenticator app. 
+1. Enter the PIN to access YubiKey and select the back button at the top left corner. 
+
+The user should be successfully logged in and redirected to the Outlook homepage. 
+
+### Troubleshoot certificates on hardware security key
+
+#### What will happen if the user has certificates both on the iOS device and YubiKey? 
+
+The iOS certificate picker will show all the certificates on both iOS device and the ones copied from YubiKey into iOS device. Depending on the certificate user picks they will be either taken to YubiKey authenticator to enter PIN or directly authenticated. 
+
+#### My YubiKey is locked after incorrectly typing PIN 3 times. How do I fix it? 
+
+- Users should see a dialog informing you that too many PIN attempts have been made. This dialog also pops up during subsequent attempts to select **Use Certificate or smart card**.
+- [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) can reset a YubiKey’s PIN. 
+
+#### Once CBA fails, clicking on the CBA option again in the ‘Other ways to signin’ link on the error page fails. 
+
+This issue happens because of certificate caching. We are working to add a fix to clear the cache. As a workaround, clicking cancel and restarting the login flow will let the user choose a new certificate and successfully login. 
+
+#### Azure AD CBA with YubiKey is failing. What information would help debug the issue? 
+
+1. Open Microsoft Authenticator app, click the three dots icon in the top right corner and select **Send Feedback**.
+1. Click **Having Trouble?**.
+1. For **Select an option**, select **Add or sign into an account**. 
+1. Describe any details you want to add. 
+1. Click the send arrow in the top right corner. Note the code provided in the dialog that appears. 
+
+#### How can I enforce phishing-resistant MFA using a hardware security key on browser-based applications on mobile? 
+
+Certificate based authentication and Conditional Access authentication strength capability makes it powerful for customers to enforce authentication needs. Edge as a profile (add an account) will work with a hardware security key like YubiKey and conditional access policy with authentication strength capability can enforce phishing-resistant authentication with CBA.
+
+CBA support for YubiKey is available in the latest Microsoft Authentication Library (MSAL) libraries, any third-party application that integrates the latest MSAL, and all Microsoft first party applications can leverage CBA and Conditional Access authentication strength. 
+
+### Supported operating systems
+
+|Operating system | Certificate on-device/Derived PIV |    Smart cards        |
+|:----------------|:---------------------------------:|:---------------------:|
+| iOS             | ✅                          | Supported vendors only|
+
+### Supported browsers
+
+|Operating system | Chrome certificate on-device | Chrome smart card | Safari certificate on-device | Safari smart card | Edge certificate on-device | Edge smart card |
+|:----------------|:---------------------------------:|:---------------------:|:---------------------------------:|:---------------------:|:---------------------------------:|:---------------------:|
+| iOS             |  ❌                          | ❌|✅                          | ✅ |  ❌                          | ❌|
+
+### Security key providers
+
+|Provider            |                  iOS           |
+|:-------------------|:------------------------------:|
+| YubiKey            |              ✅          | 
+
 ## Known issue
 
 On iOS, users will see a "double prompt", where they must click the option to use certificate-based authentication twice. We're working to create a seamless user experience.