The Why and What of CBA (PKI-based certificates)

What is a digital certificate (or simply certificate)?

Many different types of digital certificates serve different purposes. For the sake of simplicity, in this post, let’s focus on one type of certificate—the authentication certificate. An authentication certificate is usually governed by a system called PKI, or public key infrastructure. PKI-based certificates provide proof of identity before granting access to specific computing resources. Think of an authentication certificate like a passport; you present your passport to a border agency (who will validate your passport) before allowing you to enter certain countries.

Certificates are issued by an entity called the Certificate Authority. In this example, the Certificate Authority represents the passport office; many countries trust it, and you must go through stringent verification processes before your trustworthy passport is issued.

How is the certificate secured to prevent unauthorized use?

Let’s use the passport example again. A passport is an important document that you always want to safeguard and keep secure. The passport also employs various anti-tampering techniques (i.e., watermarked photo, special printing material, holographic seal, and electronic chips, etc.). These techniques ensure that only you can use the passport to prove your identity.

Unlike a passport (which is usually in the form of a physical booklet), a digital certificate is an electronic document that is typically securely stored on a USB token (e.g., YubiKey) or a smartcard (e.g. IDEMIA). When the PKI-based certificates are put on the token or smartcard, the user also needs to assign a PIN to prevent unauthorized access. The PIN is only known by the owner of the token or smartcard. The PIN is required whenever a request is made to access the certificates stored inside. Also, the YubiKey or smartcard includes various hardening technologies and secure hardware elements. This prevents malicious actors from extracting or copying the certificates stored inside.

How is the certificate accessed for computing resources?

Certificate-based Authentication (CBA) refers to the process of utilizing certificates to authenticate and gain access to computing resources (e.g., logging on to Windows or macOS machines or accessing applications like Salesforce or Office 365).

Windows and macOS natively support CBA. Once configured to do so, when a smartcard or YubiKey (containing a valid and trusted certificate) is inserted into the machine, the login prompt will ask for a PIN. When the user inputs the PIN, the PKI-based certificate is released and presented to the system for verification.

The login experience on Windows 11 with a PKI-based certificate

CBA on Windows 11

The login experience on macOS with certificate-based authentication backed by PKI

CBA on macOS

Similarly, a wide variety of systems and applications also support CBA. The user will be prompted to provide the certificate and the PIN during the authentication process.

The login experience with a PKI-based certificate on Office 365 Entra ID

CBA for Office 365 (Entra ID)

Why is CBA (much) better than passwords?

Passwords are undeniably the most commonly used authentication method being used but are inadequate in today’s world. Password-based authentication methods are subject to phishing attacks. These attacks have caused billions of dollars in financial loss across organizations around the globe. While other Multi-factor Authentication (MFA) technologies help reduce the risk, many of those technologies (e.g., One-Time Password, or OTP) are still vulnerable.

Certificate-based Authentication (CBA) is a mature technology supported by major operating systems, applications, and Identity and Access Management (IAM) platforms (e.g., Entra ID, Ping, Okta). The use of a hardware token (something you have), the PIN (something you know), and the certificate make CBA one of the top choices for implementing phishing-resistant MFA. In fact, CBA is also known as “PKI-based MFA” which is one of the only two authentication methods recognized by the Cybersecurity and Infrastructure Security Agency (CISA) as being phishing-resistant. The other phishing-resistant authentication method is FIDO/WebAuthn, which we will discuss in a future blog post.

From the user experience perspective, CBA provides an ATM-like experience that is intuitive and simple. Most users require little to no training and appreciate the easy to remember PIN instead of complex passwords.

How do I deploy CBA capabilities in my organization?

CBA relies on certificates issued by a trusted Certificate Authority, which can be deployed and managed internally or outsourced. A reliable and easy-to-use Credential Management System is also needed for managing the tokens and certificate life cycle.

Axiad provides a turnkey solution that allows organizations to easily onboard, manage, and support users with phishing-resistant CBA credentials (i.e., certificate on a hardware token or smartcard). Our solution provides an intuitive web-based user interface, allowing users to self-enroll to easily manage their tokens. Our solution runs in the cloud (an on-premises option is available) and provides everything you need to be up and running quickly.

Axiad Cloud Unified portal showing the issuance of certificate-based authentication (CBA) backed by PKI