Skip to content

Latest commit

 

History

History
43 lines (36 loc) · 5.13 KB

pci-dss-mfa.md

File metadata and controls

43 lines (36 loc) · 5.13 KB
Raw
title description ms.service ms.subservice ms.topic author ms.author manager ms.reviewer ms.date ms.custom ms.collection
Microsoft Entra PCI-DSS Multi-Factor Authentication guidance
Learn the authentication methods supported by Microsoft Entra ID to meet PCI MFA requirements
entra
standards
how-to
jricketts
jricketts
martinco
martinco
04/18/2023
it-pro

Microsoft Entra PCI-DSS Multi-Factor Authentication guidance

Information Supplement: Multi-Factor Authentication v 1.0

Use the following table of authentication methods supported by Microsoft Entra ID to meet requirements in the PCI Security Standards Council Information Supplement, Multi-Factor Authentication v 1.0.

Method To meet requirements Protection MFA element
Passwordless phone sign in with Microsoft Authenticator Something you have (device with a key), something you know or are (PIN or biometric)
In iOS, Authenticator Secure Element (SE) stores the key in Keychain. Apple Platform Security, Keychain data protection
In Android, Authenticator uses Trusted Execution Engine (TEE) by storing the key in Keystore. Developers, Android Keystore system
When users authenticate using Microsoft Authenticator, Microsoft Entra ID generates a random number the user enters in the app. This action fulfills the out-of-band authentication requirement.		 Customers configure device protection policies to mitigate device compromise risk. For instance, Microsoft Intune compliance policies. Users unlock the key with the gesture, then Microsoft Entra ID validates the authentication method.
Windows Hello for Business Deployment Prerequisite Overview Something you have (Windows device with a key), and something you know or are (PIN or biometric).
Keys are stored with device Trusted Platform Module (TPM). Customers use devices with hardware TPM 2.0 or later to meet the authentication method independence and out-of-band requirements.
Certified Authenticator Levels		 Configure device protection policies to mitigate device compromise risk. For instance, Microsoft Intune compliance policies. Users unlock the key with the gesture for Windows device sign in.
Enable passwordless security key sign-in, Enable FIDO2 security key method Something that you have (FIDO2 security key) and something you know or are (PIN or biometric).
Keys are stored with hardware cryptographic features. Customers use FIDO2 keys, at least Authentication Certification Level 2 (L2) to meet the authentication method independence and out-of-band requirement.		 Procure hardware with protection against tampering and compromise. Users unlock the key with the gesture, then Microsoft Entra ID validates the credential.
Overview of Microsoft Entra certificate-based authentication Something you have (smart card) and something you know (PIN).
Physical smart cards or virtual smartcards stored in TPM 2.0 or later, are a Secure Element (SE). This action meets the authentication method independence and out-of-band requirement.		 Procure smart cards with protection against tampering and compromise. Users unlock the certificate private key with the gesture, or PIN, then Microsoft Entra ID validates the credential.

Next steps

PCI-DSS requirements 3, 4, 9, and 12 aren't applicable to Microsoft Entra ID, therefore there are no corresponding articles. To see all requirements, go to pcisecuritystandards.org: Official PCI Security Standards Council Site.

To configure Microsoft Entra ID to comply with PCI-DSS, see the following articles.