Hello! With the dust settling from Ignite 2019, let’s dive in with “how stuff works” – focusing on the Microsoft Authenticator’s backup and restore feature.
Earlier this year we released the Microsoft Authenticator backup and restore feature on iOS and Android, which lets you easily move your accounts on the Authenticator app to a new device. Some folks have asked how we secure this process – in this blog, we’ll deep dive into how it works.
In the descriptions below, a “strong authentication token” means the user has authenticated using multi factor authentication - for example, they used a password and then entered a code sent to their phone or email or signed in with Windows Hello or a FIDO token, depending on the factors they have previously enabled.
The Microsoft Authenticator supports a variety of authentication mechanisms to support Microsoft consumer, work and school accounts in different modes, as well as any account which supports the OATH TOTP standard.
For accounts using the OATH TOTP standard, there is a shared secret stored both in the Authenticator app and in the identity provider.
For accounts using other mechanisms, the Authenticator creates a public/private keypair in a hardware backed storage (e.g. the Keychain on iOS and Keystore on Android) and exports the public key to Microsoft’s login server. The private key never leaves the device when a user is using the backup or restore features of their Authenticator app or when using the operating system app restore features.
To restore Microsoft Authenticator accounts on a new device, the user must first back up their current device. Here are the steps.
After the backup has been successfully created, the user can restore their Microsoft Authenticator accounts on a new device. Here are the steps:
What’s life without a little UML? Here’s a picture encapsulating the flow described above.
Hopefully this helps you understand the mechanics behind our secure backup and restore process for Microsoft Authenticator. If you have any more questions, check out our Microsoft Authenticator docs or ping me at @alex_t_weinert.
Stay safe out there!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.