10 Reasons to Love Passwordless #7: Authenticator app for easy phone sign-in

Published 02-26-2021 02:30 PM 3,484 Views
Microsoft

In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). Today, Alex Weinert continues this series.

 

 

In previous blogs in this series, we shared how passwords lead to breaches, lost productivity and support calls. I also shared how biometrics local to each device provide a secure and convenient way to authenticate with a simple gesture from the user. 

 

Your identity companion, the Microsoft Authenticator app, is a great example. It allows you to sign into your Microsoft identities (personal, work or school) by responding to a notification with a quick scan of your face, swipe of your finger or entry of your phone passcode. By combining your device and the biometric, it is not just simpler than a password, but inherently multifactor. 

 

Most of us keep our mobile phone in easy grabbing distance, no matter what we’re doing. Using Authenticator on your mobile phone, you can easily approve sign-ins on any device and into any app. There is no password to type, SMS code to round-trip, or robocall to answer! Moreover, security measures such as matching a number at the time of approving a sign-in help prevent accidental approval, and the app can provide context and security notifications much richer than anything possible in text messages.

 

 

7.png

Figure 1: Number matching experience

 

 

If you have a smart watch, you don’t even have to take your phone out of your pocket while logging into your Microsoft account. (Every time I approve on my watch I feel like I am an extra in a cool sci-fi series – when my kid saw me do it, he finally thought Authentication was cool!)

 

5.png

 

For enterprises, when most of your workforce is remote, Microsoft Authenticator can be one of the easiest and fastest mechanisms to rollout. It is also the most cost effective. Users can download the app on their phones and setup an account in seconds. There is no additional hardware to carry and you can approve sign-ins on any device in the world. Passwordless authentication with Microsoft Authenticator also meets NIST 800-63 Authentication Assurance Level 2.

 

For end-users, the authentication experience matters the most. Microsoft Authenticator is one of the most highly rated authenticator apps in the world. As of February 2021, it tops its peers with a rating of 4.8 stars on Apple App store and 4.7 stars on Google Play store. Authenticator provides users great security with convenience and we are constantly innovating it with new capabilities. 

 

In summary, Microsoft Authenticator may be the easiest and most affordable way to go passwordless for you and your users. There is no additional hardware to carry, passwords to remember or type, SMS to copy or phone calls to attend while signing in. You tap a notification, provide your biometrics and you are logged into any device you want. All this with secure multifactor authentication.

 

Stay tuned for more in the series! We’ll share how passwordless credentials can protect you from top attacks and we’ll dive into setup and recovery of passwordless credentials.

 

 

Check out the other posts in this series: 

 

 

Learn more about Microsoft identity:

 

6 Comments
Occasional Contributor

Authenticator App is great! Unfortunately some users refuse to install such app on their personal mobile phone.

Any tips to convince them?

Occasional Contributor

Hello @MatAitAzzouzene 

 

It depends on their reasons:

  1. They just don' t want anything from work on their personal mobile phone
  2. They fear to be monitored by their employer
  3. They fear to leak some personal info to Microsoft
  4. Others

for 2. and 3. you can explain them that no personal information is shared with Microsoft. Authenticator does not need any sort of employer management of the phone (not like possibly some M365 apps) etc..

 

Regards

Christophe

 

Regular Visitor

Some great info - following this series of posts.

 

Can I just check is passwordless with Azure AD now generally available and fully supported? If not any ideas when it will be, it is difficult to progress with a production deployment without that support - particularly for something as important as authentication..

 

Many Thanks

Occasional Contributor

@ChristopheHumbert yes that is the point, some users don't want anything from work on their personal phone, they don't even want to share their personal phone number with Microsoft. I get this problem every time I try to massively deploy MFA to my customers' tenants.

New Contributor

For those employees who do not want to install apps on their phone, it is like not wanting to wear nice shoes in the office (they prefer sandals for example). In a technology driven world, there are certain expectations that an employee must assume when taking on employment. One of them is that they bring to their job, the necessary skills and attire to perform their function. If these methods of authentication are enforced, they are either capable of working or not. Most people live in a free society where they can seek other employment. 

Frequent Visitor

Nice Article but the App does have issues, when using the authenticator on a personal account I've been receiving push notifications requesting verification that clearly aren't from me and it has become more frequent, it is an annoying ritual to deny or ignore these request. I'm guessing they are hoping I'll make a mistake and accidently grant access.  Also the Authenticator doesn't log these failed\denied push notifications to recent activity so it is difficult to figure out the source of these requests.

 

So basically I can potentially get push notifications all day long from a bad actors.  I would also like an option to limit push notifications so when accessing a new device a email plus a short secret is required (visible in the App) before the notification is sent. This way I won't get harassed by bad actors, which is starting to make this application more of burden then a blessing. 

 

Please log failed\denied attempts to recent activity. I also noticed the logging in recent activity on a personal account isn't very robust, a number of times the machine I log into didn't show up in the logs, the logs contain 2 events, the authenticator and the machine, I'm not sure is intuitive to have 2 events for each sign-in, or at least label it as the authenticator instead of Browse\App Unknown. If the recent activity logs aren't accurate or confusing it makes them hard to trust. 

 

 

 

 

       

Co-Authors
Version history
Last update:
‎Mar 08 2021 10:58 AM
Updated by: