Phishing-Resistant MFA - On-premise Infrastructure
If your existing technologies rely mainly on an on-premises Active Directory infrastructure, you may already be well situated for several of the following decision points. For each point consider the use cases that you need to fulfill.
- Will you be solely focused on application logon or will you need to include device sign-in as well?
- Do the applications have local clients, or are they accessed via a web browser? Do you have a SSO solution in front of any of them already?
- Will users mainly be working from central locations or are they geographically dispersed?
- Do you have (or plan to implement) a standard onboarding process with supplied hardware and credentials or are users encouraged to bring their own devices?
If your organization already has an established Certificate Authority (CA) associated with your Active Directory, and supports mainly local applications then you can follow these guides to integrate and deploy phishing resistant MFA for your users.
If your organization relies on a mix of cloud based and local applications then Azure AD CBA (Certificate Based Authentication) may be a better fit. It leverages your existing on-premise infrastructure to manage user credentials, but allows you to expose authentication paths to external and cloud based tools.
If you have an on premises Active Directory without a Certificate Authority configured, consider your organization's use cases. Identifying these use cases will guide your adoption of a local smart card deployment, a solution that leverages Azure CBA, or a mix of the two. After you have chosen a deployment architecture then you can build that timeline and leverage the appropriate guide above to deploy and integrate smart cards into your authentication workflows.
Links to Deployment guides for CA & Azure CBA.
Our Knowledge Base includes configuration guides for many specific Use Cases that leverage this infrastructure.