Understanding Entra Certificate-Based Authentication

• Entra certificate-based authentication allows users to securely sign in to Entra ID, applications, and Web sites without passwords.
• This approach helps keep user credentials secure by minimizing the likelihood of phishing attacks, and potentially removing one dependency on AD Federation Services, which increasingly could be an attack vector.
• The Entra ID certificate authentication feature is free, but there are significant technical hurdles in deploying it, and it depends on a public key infrastructure, which the organization must have already successfully deployed.

Entra certificate-based authentication (CBA) allows users to sign in to local and Web applications on their devices without a password, which can reduce friction for the end user and improve overall organizational security. The approach lessens the likelihood that users can be phished for their credentials, and the organization has one less reason to deploy Active Directory Federation Services (AD FS) and Certificate Services (AD CS). However, it requires successful deployment of the organization’s own public key infrastructure (PKI) system, which is not included with Entra CBA. The certificate authentication feature could help add fuel to the efforts within many organizations to move toward retiring AD FS and AD CS, which have increasingly become targets for attackers and levers for attackers to break into organizations.