%3CLINGO-SUB%20id%3D%22lingo-sub-1013428%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013428%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20about%20between%20iOS%20and%20Android%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014004%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014004%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%3CDIV%20class%3D%22lia-message-body%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3B%2C%20how%20are%20you%20%3F%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22tlid-translation%20translation%22%3E%3CSPAN%20class%3D%22%22%3EI%20did%20the%20test%20below%20and%20it%20didn't%20work%3C%2FSPAN%3E%3C%2FSPAN%3E%20for%20this%20use%20case%20(iPhone%20full%20restore%20from%20iCloud).%20The%20restore%20is%20only%20working%20if%20I%20delete%20the%20app%20and%20reinstall%20in%20the%20same%20device%20or%20moving%20between%20devices%2C%20but%20not%20when%20I%20perform%20a%20full%20iPhone%20restore%20in%20the%20same%20iPhone.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EiOS%2013.2.2%20%2F%20iPhone%2011%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esteps%3A%3C%2FP%3E%3CP%3E1)%20installed%20Microsoft%20Authenticator%20app%3C%2FP%3E%3CP%3E2)%20setup%20personal%20account%20(%40hotmail.com)%3C%2FP%3E%3CP%3E3)%20added%202%20records%20(facebook%20and%20google)%3C%2FP%3E%3CP%3E4)%20performed%20backup%20to%20iCloud%20using%20backup%20feature%20of%20Microsoft%20authenticator%20app%3C%2FP%3E%3CP%3E5)%20performed%20iPhone%20backup%20using%20iOS%20iCloud%20feature%3C%2FP%3E%3CP%3E6)%20reinstall%20iPhone%20using%20iCloud%20backup%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20the%20restore%2C%20I%20tried%20to%20follow%20the%20%22Begin%20Recovery%22%20procedures%20of%20Microsoft%20authenticator%20app%2C%20but%20I%20received%20the%20message%20that%20I%20don't%20have%20a%20backup%20available%20in%20my%20iCloud.%20But%20I%20have%20the%20backup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWeber%20Ress%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1019835%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1019835%22%20slang%3D%22en-US%22%3E%3CP%3EI%20experienced%20exactly%20the%20same%20as%20Weber.%20But%20I%20found%20an%20iCloud%20'switch'%20in%20the%20settings%20within%20authenticator%2C%20which%20was%20switched%20off.%20So%20an%20iCloud%20backup%20of%20your%20iPhone%20apparently%20doesn't%20backup%20the%20authenticator.%20I%20have%20now%20put%20this%20switch%20to%20'on'.%3C%2FP%3E%3CP%3EI%20now%20have%20three%20account%20in%20the%20authenticator%20that%20will%20not%20give%20me%20any%20one%20time%20passwords.%20I'm%20still%20trying%20to%20get%20them%20to%20work%20without%20completely%20reinstalling%20the%20app.%20Any%20thoughts%20anyone%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJeroen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1022466%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1022466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CSPAN%3EIn%20my%20use%20case%2C%20my%20iCloud%20account%20is%20w1xxxx%40icloud.com%20and%20my%20personal%20MS%20account%20is%20w2xxxx%40hotmail.com.%20Also%2C%20I've%20activated%20the%20iCloud%20backup%20within%20MS%20auth%20app.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5B%5D's%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWeber%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1186255%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1186255%22%20slang%3D%22en-US%22%3EI%20love%20the%20cloud%20backup%20feature%2C%20it%20saved%20between%20factory%20reset!%20Only%20thing%20would%20make%20this%20the%20best%20is%20for%20it%20to%20have%20a%20dark%20mode.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1490884%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1490884%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20successfully%20backed%20up%20and%20restored%20MS%20Auth%20when%20you%20switch%20MDM's%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502635%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502635%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20good%20start%2C%20but%20in%20need%20of%20more%20work%20I%20think.%20Two%20major%20stumbling%20blocks%20for%20our%20adoption%20are%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20You%20can't%20backup%20to%20a%20work%20or%20school%20account.%3C%2FP%3E%3CP%3E2)%20You%20can't%20restore%20across%20platforms.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20probably%20live%20without%20the%20first%20one%20(whilst%20grumbling)%2C%20but%20it's%20dead%20in%20the%20water%20without%20the%20second.%20A%20backup%20you%20can't%20recover%20is%20hopeless.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20someone%20tell%20me%20I'm%20missing%20something%20so%20I%20can%20apologise%20and%20get%20excited%20about%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1529782%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1529782%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20having%20issues%20with%20the%20sound%20and%20haptics%20on%20my%20iPhone%20and%20needed%20to%20do%20a%20reset%20and%20restore%20from%20iCloud.%20MSAuthenticator%20was%20set%20to%20back%20up%20to%20the%20cloud.%20I%20had%20moved%20all%20my%20accounts%20out%20of%20Google%20Authenticator%20because%20of%20the%20horror%20stories%20I%20had%20heard%20from%20people%20losing%20codes%20when%20getting%20a%20new%20phone%20or%20restoring.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20as%20it%20turns%20out%2C%20I%20ended%20up%20losing%20all%20the%20codes%20I%20had%20in%20MS%20Authenticator.%20When%20going%20to%20Recover%20Accounts%2C%20it%20only%20loads%20my%20account%20that%20was%20associated%20with%20the%20backups%20in%20iCloud%20that%20I%20assumed%20would%20be%20used%20to%20restore%20the%20codes.%20Ironically%2C%20all%20the%20codes%20I%20had%20in%20Authy%20and%20Google%20authenticator%20are%20all%20there%20without%20having%20had%20to%20do%20anything.%20Is%20there%20any%20way%20to%20get%20them%20back%3F%20Such%20a%20bummer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20trying%20to%20decide%20between%20MS%20and%20Authy%20for%20a%20while%20now%20and%20it%20seems%20like%20the%20choice%20is%20now%20obvious%20which%20to%20go%20if%20you%20don't%20want%20to%20lose%20all%20your%20codes%20in%20the%20event%20of%20doing%20a%20restore%20on%20your%20phone.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006678%22%20slang%3D%22en-US%22%3EHow%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006678%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%20With%20the%20dust%20settling%20from%20Ignite%202019%2C%20let%E2%80%99s%20dive%20in%20with%20%E2%80%9Chow%20stuff%20works%E2%80%9D%20%E2%80%93%20focusing%20on%20the%20Microsoft%20Authenticator%E2%80%99s%20backup%20and%20restore%20feature.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEarlier%20this%20year%20we%20released%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FCloud-backup-and-recovery-for-the-Microsoft-Authenticator-app-on%2Fba-p%2F566369%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EMicrosoft%20Authenticator%20backup%20and%20restore%3C%2FA%3E%20feature%20on%20iOS%20and%20Android%2C%20which%20lets%20you%20easily%20move%20your%20accounts%20on%20the%20Authenticator%20app%20to%20a%20new%20device.%20Some%20folks%20have%20asked%20how%20we%20secure%20this%20process%20%E2%80%93%20in%20this%20blog%2C%20we%E2%80%99ll%20deep%20dive%20into%20how%20it%20works.%3C%2FP%3E%0A%3CP%3EIn%20the%20descriptions%20below%2C%20a%20%E2%80%9Cstrong%20authentication%20token%E2%80%9D%20means%20the%20user%20has%20authenticated%20using%20multi%20factor%20authentication%20-%20for%20example%2C%20they%20used%20a%20password%20and%20then%20entered%20a%20code%20sent%20to%20their%20phone%20or%20email%20or%20signed%20in%20with%20Windows%20Hello%20or%20a%20FIDO%20token%2C%20depending%20on%20the%20factors%20they%20have%20previously%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1053105164%22%20id%3D%22toc-hId-1053105164%22%20id%3D%22toc-hId-1053105164%22%3E%3CSPAN%3EOverview%20of%20how%20the%20Microsoft%20Authenticator%20works%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3EThe%20Microsoft%20Authenticator%20supports%20a%20variety%20of%20authentication%20mechanisms%20to%20support%20Microsoft%20consumer%2C%20work%20and%20school%20accounts%20in%20different%20modes%2C%20as%20well%20as%20any%20account%20which%20supports%20the%20%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6238%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOATH%20TOTP%3C%2FA%3E%20standard.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20accounts%20using%20the%20OATH%20TOTP%20standard%2C%20there%20is%20a%20shared%20secret%20stored%20both%20in%20the%20Authenticator%20app%20and%20in%20the%20identity%20provider.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20accounts%20using%20other%20mechanisms%2C%20the%20Authenticator%20creates%20a%20public%2Fprivate%20keypair%20in%20a%20hardware%20backed%20storage%20(e.g.%20the%20Keychain%20on%20iOS%20and%20Keystore%20on%20Android)%20and%20exports%20the%20public%20key%20to%20Microsoft%E2%80%99s%20login%20server.%20The%20private%20key%20never%20leaves%20the%20device%20when%20a%20user%20is%20using%20the%20backup%20or%20restore%20features%20of%20their%20Authenticator%20app%20or%20when%20using%20the%20operating%20system%20app%20restore%20features.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--754349299%22%20id%3D%22toc-hId--754349299%22%20id%3D%22toc-hId--754349299%22%3E%3CSPAN%3EBackup%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3ETo%20restore%20Microsoft%20Authenticator%20accounts%20on%20a%20new%20device%2C%20the%20user%20must%20first%20back%20up%20their%20current%20device.%20Here%20are%20the%20steps.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20user%20starts%20the%20backup%20process%20by%20clicking%20on%20the%20menu%2C%20going%20to%20settings%2C%20and%20enabling%20backup.%3C%2FLI%3E%0A%3CLI%3EThe%20Authenticator%20app%20uses%20a%20strong%20authentication%20token%20to%20request%20a%20256-bit%20key%20from%20an%20internal%20Microsoft%20account%20key%20service.%20The%20app%20receives%20this%20key%20and%20a%20retrieval%20id%20(Key%20ID)%20from%20the%20key%20service.%3C%2FLI%3E%0A%3CLI%3EThe%20Authenticator%20uses%20the%20key%20to%20create%20an%20encrypted%20-ERR%3AREF-NOT-FOUND-JSON%20Web%20Encryption%20blob%20(JWE)%20using%20-ERR%3AREF-NOT-FOUND-AES-256%20The%20information%20contained%20varies%20based%20on%20what%20accounts%20the%20Authenticator%E2%80%99s%20owner%20has%20configured.%3COL%20style%3D%22list-style-type%3A%20lower-alpha%3B%22%3E%0A%3CLI%3EFor%20all%20accounts%2C%20the%20Authenticator%20encrypts%20relevant%20metadata%20about%20the%20account%20such%20as%3A%3COL%20style%3D%22list-style-type%3A%20lower-roman%3B%22%3E%0A%3CLI%3EBackup%20creation%20time%3C%2FLI%3E%0A%3CLI%3EAccount%20system%3C%2FLI%3E%0A%3CLI%3EUsername%3C%2FLI%3E%0A%3CLI%3ECredential%20types%20(e.g.%20Phone%20Sign-In%2C%20TOTP)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFor%20OATH%20TOTP%20accounts%20(including%20personal%20Microsoft%20account%20and%20third%20party)%2C%20the%20JWE%20also%20includes%20the%20shared%20secret%20used%20in%20TOTP.%3C%2FLI%3E%0A%3CLI%3EThe%20data%20above%20is%20also%20hashed%20with%20-ERR%3AREF-NOT-FOUND-SHA-512%20to%20protect%20against%20theft%20and%20tampering%20and%20this%20hash%20is%20added%20to%20the%20JWE.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EThe%20JWE%20and%20the%20Key%20ID%20are%20then%20uploaded%20to%20the%20appropriate%20cloud%20storage%3A%3COL%3E%0A%3CLI%3EFor%20Android%20devices%2C%20they%20are%20stored%20in%20Microsoft%E2%80%99s%20cloud%20storage%20provider%20and%20tied%20to%20the%20user%E2%80%99s%20personal%20Microsoft%20account.%3C%2FLI%3E%0A%3CLI%3EFor%20iOS%20devices%2C%20they%20are%20stored%20in%20iCloud%20and%20tied%20to%20the%20user%E2%80%99s%20Apple%20account.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId-1733163534%22%20id%3D%22toc-hId-1733163534%22%20id%3D%22toc-hId-1733163534%22%3E%3CSPAN%3ERestore%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3EAfter%20the%20backup%20has%20been%20successfully%20created%2C%20the%20user%20can%20restore%20their%20Microsoft%20Authenticator%20accounts%20on%20a%20new%20device.%20Here%20are%20the%20steps%3A%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3EThe%20user%20starts%20the%20recovery%20process%20by%20clicking%20on%20%E2%80%9CBegin%20Recovery%E2%80%9D%20on%20the%20home%20screen%20of%20the%20app.%3C%2FLI%3E%0A%3CLI%3EThe%20user%20is%20required%20to%20sign%20into%20the%20account%20they%20used%20to%20create%20the%20backup%20in%20step%202%20after%20which%20the%20app%20retrieves%20the%20JWE%20and%20key%20ID%20stored%20in%20step%204%20from%20the%20appropriate%20cloud%20storage%20%E2%80%93%20Microsoft%E2%80%99s%20cloud%20storage%20provider%20(Android%20devices)%20or%20iCloud%20(iOS%20devices).%3C%2FLI%3E%0A%3CLI%3EThe%20Authenticator%20app%20uses%20a%20strong%20authentication%20token%20and%20the%20Key%20ID%20to%20retrieve%20the%20key%20from%20the%20Microsoft%20account%20key%20service.%3C%2FLI%3E%0A%3CLI%3EUsing%20the%20key%2C%20the%20Authenticator%20decrypts%20the%20JWE%20and%20verifies%20its%20integrity%20using%20the%20hash%20from%20step%203c.%3C%2FLI%3E%0A%3CLI%3EThe%20contents%20of%20the%20accounts%20stored%20in%20the%20JWE%20are%20used%20to%20populate%20the%20application%2C%20and%20the%20user%20can%20see%20their%20accounts%20in%20the%20app.%3COL%20style%3D%22list-style-type%3A%20lower-alpha%3B%22%3E%0A%3CLI%3EOATH%20TOTP%20accounts%20(from%203b)%20are%20fully%20setup%20as%20the%20shared%20secret%20has%20been%20restored.%3C%2FLI%3E%0A%3CLI%3EFor%20all%20other%20accounts%20displayed%2C%20the%20user%20must%20authenticate%20to%20create%20a%20new%20public%2Fprivate%20keypair%20on%20the%20device%20and%20re-register%20each%20account%E2%80%99s%20public%20key%20for%20the%20new%20Authenticator%20instance.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId--74290929%22%20id%3D%22toc-hId--74290929%22%20id%3D%22toc-hId--74290929%22%3EBackup%20and%20Recovery%20Diagram%3C%2FH3%3E%0A%3CP%3EWhat%E2%80%99s%20life%20without%20a%20little%20UML%3F%20Here%E2%80%99s%20a%20picture%20encapsulating%20the%20flow%20described%20above.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Auth%20Backup%20and%20Restore.PNG%22%20style%3D%22width%3A%20938px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156975iA50CB24FA04303FD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Auth%20Backup%20and%20Restore.PNG%22%20alt%3D%22Auth%20Backup%20and%20Restore.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1881745392%22%20id%3D%22toc-hId--1881745392%22%20id%3D%22toc-hId--1881745392%22%3ESummary%3C%2FH3%3E%0A%3CP%3EHopefully%20this%20helps%20you%20understand%20the%20mechanics%20behind%20our%20secure%20backup%20and%20restore%20process%20for%20Microsoft%20Authenticator.%20If%20you%20have%20any%20more%20questions%2C%20check%20out%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fmulti-factor-authentication%2Fend-user%2Fmicrosoft-authenticator-app-backup-and-recovery%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Authenticator%20docs%3C%2FA%3E%20or%20ping%20me%20at%20%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Falex_t_weinert%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40alex_t_weinert%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStay%20safe%20out%20there!%3CBR%20%2F%3E-%20Alex%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1006678%22%20slang%3D%22en-US%22%3E%3CP%3ELet%E2%80%99s%20dive%20in%20with%20%E2%80%9Chow%20stuff%20works%E2%80%9D%20%E2%80%93%20focusing%20on%20the%20Microsoft%20Authenticator%E2%80%99s%20backup%20and%20restore%20feature.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1006678%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1569328%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1569328%22%20slang%3D%22en-US%22%3E%3CP%3EQuick%20question%20to%20Microsoft%20Team%2C%3C%2FP%3E%3CP%3EDoes%20the%20backup%20and%20restore%20defy%20the%20point%20of%20MFA%20authentication%3F%20This%20process%20does%20potentially%20allows%20cloning%20Authenticator%20app%20into%20a%20secondary%20phone%20(with%20or%20without%20primary%20phone%20owner%20knowledge)%20and%20therefore%20defies%20the%20non-repudiation%20principals.%20What%20is%20the%20protection%20for%20the%20backup%20file%20of%20the%20authenticator%3F%20Microsoft%20Authenticator%20recommends%20using%20%22Microsoft%20Live%22%20account%20that%20is%20a%20personal%20account%20plus%20TEXT%2FCall%2FEmail%20code%20for%20authentication.%20But%20all%20those%20methods%20will%20not%20stop%20from%20backing-up%20unlocked%20phone...%3C%2FP%3E%3CP%3EIs%20there%20in-app%20%2F%20server%20feature%20to%20detect%20two%20authenticator%20apps%20running%20simultaneously%20on%20the%20different%20phones%3F%3C%2FP%3E%3CP%3EP.S.%20There%20was%20always%20an%20option%20to%20clone%20an%20authenticator%20if%20initial%20QR%20code%20intercepted.%20But%20this%20was%20only%20limited%20to%20onboarding%20phase.%20Backup%20and%20restore%20opens%20an%20opportunity%20to%20get%20all%20the%20accounts%20cloned.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello! With the dust settling from Ignite 2019, let’s dive in with “how stuff works” – focusing on the Microsoft Authenticator’s backup and restore feature.

 

Earlier this year we released the Microsoft Authenticator backup and restore feature on iOS and Android, which lets you easily move your accounts on the Authenticator app to a new device. Some folks have asked how we secure this process – in this blog, we’ll deep dive into how it works.

In the descriptions below, a “strong authentication token” means the user has authenticated using multi factor authentication - for example, they used a password and then entered a code sent to their phone or email or signed in with Windows Hello or a FIDO token, depending on the factors they have previously enabled.

 

Overview of how the Microsoft Authenticator works

The Microsoft Authenticator supports a variety of authentication mechanisms to support Microsoft consumer, work and school accounts in different modes, as well as any account which supports the OATH TOTP standard.

 

For accounts using the OATH TOTP standard, there is a shared secret stored both in the Authenticator app and in the identity provider.

 

For accounts using other mechanisms, the Authenticator creates a public/private keypair in a hardware backed storage (e.g. the Keychain on iOS and Keystore on Android) and exports the public key to Microsoft’s login server. The private key never leaves the device when a user is using the backup or restore features of their Authenticator app or when using the operating system app restore features.

 

Backup

To restore Microsoft Authenticator accounts on a new device, the user must first back up their current device. Here are the steps.

  1. The user starts the backup process by clicking on the menu, going to settings, and enabling backup.
  2. The Authenticator app uses a strong authentication token to request a 256-bit key from an internal Microsoft account key service. The app receives this key and a retrieval id (Key ID) from the key service.
  3. The Authenticator uses the key to create an encrypted JSON Web Encryption blob (JWE) using AES-256 The information contained varies based on what accounts the Authenticator’s owner has configured.
    1. For all accounts, the Authenticator encrypts relevant metadata about the account such as:
      1. Backup creation time
      2. Account system
      3. Username
      4. Credential types (e.g. Phone Sign-In, TOTP)
    2. For OATH TOTP accounts (including personal Microsoft account and third party), the JWE also includes the shared secret used in TOTP.
    3. The data above is also hashed with SHA-512 to protect against theft and tampering and this hash is added to the JWE.
  1. The JWE and the Key ID are then uploaded to the appropriate cloud storage:
    1. For Android devices, they are stored in Microsoft’s cloud storage provider and tied to the user’s personal Microsoft account.
    2. For iOS devices, they are stored in iCloud and tied to the user’s Apple account.

Restore

After the backup has been successfully created, the user can restore their Microsoft Authenticator accounts on a new device. Here are the steps:

  1. The user starts the recovery process by clicking on “Begin Recovery” on the home screen of the app.
  2. The user is required to sign into the account they used to create the backup in step 2 after which the app retrieves the JWE and key ID stored in step 4 from the appropriate cloud storage – Microsoft’s cloud storage provider (Android devices) or iCloud (iOS devices).
  3. The Authenticator app uses a strong authentication token and the Key ID to retrieve the key from the Microsoft account key service.
  4. Using the key, the Authenticator decrypts the JWE and verifies its integrity using the hash from step 3c.
  5. The contents of the accounts stored in the JWE are used to populate the application, and the user can see their accounts in the app.
    1. OATH TOTP accounts (from 3b) are fully setup as the shared secret has been restored.
    2. For all other accounts displayed, the user must authenticate to create a new public/private keypair on the device and re-register each account’s public key for the new Authenticator instance.

Backup and Recovery Diagram

What’s life without a little UML? Here’s a picture encapsulating the flow described above.

 

Auth Backup and Restore.PNG

 

Summary

Hopefully this helps you understand the mechanics behind our secure backup and restore process for Microsoft Authenticator. If you have any more questions, check out our Microsoft Authenticator docs or ping me at @alex_t_weinert.

 

Stay safe out there!
- Alex

 

9 Comments
Contributor

How about between iOS and Android?

Senior Member

Hello @Alex Weinert , how are you ? :smile:

 

I did the test below and it didn't work for this use case (iPhone full restore from iCloud). The restore is only working if I delete the app and reinstall in the same device or moving between devices, but not when I perform a full iPhone restore in the same iPhone.

 

iOS 13.2.2 / iPhone 11

 

steps:

1) installed Microsoft Authenticator app

2) setup personal account (@hotmail.com)

3) added 2 records (facebook and google)

4) performed backup to iCloud using backup feature of Microsoft authenticator app

5) performed iPhone backup using iOS iCloud feature

6) reinstall iPhone using iCloud backup

 

After the restore, I tried to follow the "Begin Recovery" procedures of Microsoft authenticator app, but I received the message that I don't have a backup available in my iCloud. But I have the backup.

 

Any ideas ?

 

Regards,

 

Weber Ress

Occasional Visitor

I experienced exactly the same as Weber. But I found an iCloud 'switch' in the settings within authenticator, which was switched off. So an iCloud backup of your iPhone apparently doesn't backup the authenticator. I have now put this switch to 'on'.

I now have three account in the authenticator that will not give me any one time passwords. I'm still trying to get them to work without completely reinstalling the app. Any thoughts anyone?

 

Jeroen

Senior Member

In my use case, my iCloud account is w1xxxx@icloud.com and my personal MS account is w2xxxx@hotmail.com. Also, I've activated the iCloud backup within MS auth app.

 

[]'s !

 

Weber

Occasional Visitor
I love the cloud backup feature, it saved between factory reset! Only thing would make this the best is for it to have a dark mode.
Frequent Visitor

Has anyone successfully backed up and restored MS Auth when you switch MDM's?  

Senior Member

This is a good start, but in need of more work I think. Two major stumbling blocks for our adoption are

 

1) You can't backup to a work or school account.

2) You can't restore across platforms.

 

I could probably live without the first one (whilst grumbling), but it's dead in the water without the second. A backup you can't recover is hopeless.

 

Please someone tell me I'm missing something so I can apologise and get excited about this.

Occasional Visitor

I was having issues with the sound and haptics on my iPhone and needed to do a reset and restore from iCloud. MSAuthenticator was set to back up to the cloud. I had moved all my accounts out of Google Authenticator because of the horror stories I had heard from people losing codes when getting a new phone or restoring. 

 

Now as it turns out, I ended up losing all the codes I had in MS Authenticator. When going to Recover Accounts, it only loads my account that was associated with the backups in iCloud that I assumed would be used to restore the codes. Ironically, all the codes I had in Authy and Google authenticator are all there without having had to do anything. Is there any way to get them back? Such a bummer.

 

I have been trying to decide between MS and Authy for a while now and it seems like the choice is now obvious which to go if you don't want to lose all your codes in the event of doing a restore on your phone. 

Occasional Contributor

Quick question to Microsoft Team,

Does the backup and restore defy the point of MFA authentication? This process does potentially allows cloning Authenticator app into a secondary phone (with or without primary phone owner knowledge) and therefore defies the non-repudiation principals. What is the protection for the backup file of the authenticator? Microsoft Authenticator recommends using "Microsoft Live" account that is a personal account plus TEXT/Call/Email code for authentication. But all those methods will not stop from backing-up unlocked phone...

Is there in-app / server feature to detect two authenticator apps running simultaneously on the different phones?

P.S. There was always an option to clone an authenticator if initial QR code intercepted. But this was only limited to onboarding phase. Backup and restore opens an opportunity to get all the accounts cloned.