With the FIDO2 certification of Windows Hello, Microsoft is putting the 800 million people who use Windows 10 one step closer to a world without passwords.
No one likes passwords (except hackers). ...
Updated May 07, 2019
Version 2.0
Blog Post
If I am reading your post correctly you cover two topics:
Security:
You indicated that the Microsoft Authenticator app is not necessarily very secure on a mobile device because.. (paraphrasing here) it isn't hardware secured and it is only as secure as the underlying mobile platform -- and if that platform is weak, or rooted/jailbroken then all bets are off.
You recommend hardware security using U2F (at a minimum?) physical keys, and if you need to use a softkey to use something like WinAuth which can be configured to leverage U2F hardware to unlock the "vault".
Backup of Softkeys:
But if you do use softkeys, all you need to do is either--
- Screenshot / Archive the QR code or initialization screen
or - Root the android device or even less effort on iPhone to get access to the Microsoft Authenticator database of shared-keys?
If I am reading your information correctly then the Microsoft-Authenticator or any non-hardware secured software tokens is... well not so secure. Scary.
Thank you for sharing and please let me know if my re-phrase/summary is incorrect.
(I am really hoping that I am misunderstanding you re: Microsoft Authenticator)