Martin Gallo, Sr. Product Manager, HYPR
3 Min. Read | August 8, 2024
Yesterday at the Black Hat conference, Microsoft announced the public preview of Entra FIDO2 provisioning APIs. HYPR worked closely with Microsoft on these critical enhancements, which make it easier for Entra customers to provision passkeys for their users. Like the EAM integration unveiled a few months ago, collaborative development of such features is essential to fuel adoption of secure, phishing-resistant authentication methods. We are honored that Microsoft named HYPR as a fully-tested vendor to help Entra customers on their FIDO2 provisioning journey.
This partnership underscores our commitment to delivering a secure and interoperable ecosystem for our customers… Their involvement has been instrumental in ensuring that the APIs are robust, versatile, and ready for real-world challenges."
– Tim Larson, Senior Product Manager on Microsoft Entra
What Are the Microsoft Entra FIDO2 Provisioning APIs?
Credential compromise is the top entry vector for attacks. Adversaries use phishing, adversary-in-the-middle (AitM), social engineering, and other tactics — increasingly aided by AI — to steal passwords and MFA tokens to log in as legitimate users. These breaches are very hard to detect until the damage is already underway. Phishing-resistant authentication based on FIDO2 standards is the single most effective way organizations can protect themselves and their users against such threats. The Microsoft Entra FIDO2 provisioning APIs encourage FIDO2 deployment and adoption by making it easier for users to enroll passkeys as an authenticator. Organizations can build their own admin provisioning clients, or work with a provider like HYPR, which leverages the new APIs.
How It Works
Using the new APIs, it’s quick and simple to provision a FIDO2 security key / passkey as a credential for Entra ID. Previously, users had to manually register their security key with Entra ID. The APIs eliminate this step, letting organizations handle the registration on behalf of their users. They work with both hardware FIDO2 keys and virtual FIDO2 security keys like HYPR.
What Does It Mean for HYPR Customers?
The new APIs further optimize the HYPR integration with Microsoft Entra ID. Leveraging their functionality streamlines provisioning of HYPR Enterprise Passkeys, making them the ideal authentication option for Microsoft Entra environments. Users simply pair their Windows workstation with HYPR and the passkey is automatically added to their Entra profile. As you can see in the below video, the entire process takes less than a minute.
Enrolling HYPR Enterprise Passkeys using the new Microsoft Entra ID FIDO2 provisioning APIs
HYPR Enterprise Passkeys
HYPR Enterprise Passkeys are Microsoft-approved and validated, FIDO Certified device-bound passkeys. They provide the assurance of a hardware key, including provenance attestation, and the convenience of a mobile authenticator app. With Enterprise Passkeys, users authenticate with a single gesture to gain access to Entra ID and all downstream apps. If they use HYPR to log into their desktop, the authenticated identity is automatically passed to Entra ID.
Enterprise Passkeys work in both fully Entra-joined and hybrid-joined environments, with multiple transport options for greater flexibility.
Learn More About HYPR and the Microsoft Entra FIDO2 Provisioning APIs
The Microsoft Entra FIDO2 Provisioning APIs are now in public preview. Read Microsoft’s technical documentation for more details about how it works. To learn more about how HYPR leverages the new APIs and HYPR Enterprise Passkeys for Entra ID, talk to our team!
