Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Microsoft Authenticator app lock now enabled by default
Published Aug 03 2020 11:00 AM 248K Views

Howdy folks,

 

We’re always listening to your feedback about Microsoft Authenticator and what we can do to make the app more secure and easier for end users. A few years ago, we released our App Lock feature in response to feedback that you wanted to make sure your app was secured by a PIN or biometric. Last month, we expanded App Lock’s protection. Now, if App Lock is enabled, when you approve any notification, you’ll also have to provide your PIN or biometric.

 

With our latest release, as part of our effort to make your sign-in experience even more secure, App Lock will be enabled by default if you’ve set up a PIN or biometric on your device.

 

authapp1.png

 

Try it out

If you don’t have the Microsoft Authenticator app yet, get it here. You’ll need to be on version 6.4.22+ on iOS to try this out.

 

We’ve been rolling out this feature to iOS TestFlight starting today, and we’ll be gradually rolling out to all users over the next few weeks. The update will come to Android next month.

 

How different notifications will work

Azure AD and MSA MFA notifications

Currently, when the notification arrives on the phone, you can click approve/deny from the lock screen. However, when app lock is enabled, you will have to launch the app (on iOS) or launch a dialog (on Android) before you can click approve/deny, and you’ll also need to provide an additional PIN/bio gesture to successfully authenticate. Thus, even if you leave your phone unlocked on your desk and walk away, a passerby cannot approve the notification for you.

 

authapp2.png

 

Enterprise on-premise MFA notifications that already require a PIN

 

The flow will remain as it is today. After you interact with the notification, you will need to provide your MFA pin (not your device pin). In subsequent approvals, you will have the option to use your device bio gesture instead of your MFA pin.

 

Azure AD and MSA Phone sign-in notifications

 

The flow will remain as it is today.

 

Additional questions


If you have questions, check out our FAQ page.

Also, we want to hear from you! Feel free to leave comments down below or reach out to us on Twitter (@AzureAD)

 

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

Learn more about Microsoft identity:

90 Comments
Copper Contributor

One thing I didn't see in the FAQ is how will this affect the user experience for users that get the push notification on their smart watch? If I have a pin on my smart watch, will I be prompted for that pin when I try to accept the Authenticator app push notification on my smart watch?

Iron Contributor

How will this work with Apple Watch?

Silver Contributor

Can't seem to get to the form to request access in Testflight. Says the Microsoft Form is flagged for potential phishing? Unless this is not the right form to go to for requesting access?

 

capture20200804121959469.png

 

https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR68AojHg485IuWUUpl99NURUNzJH...

Copper Contributor

This is great, but I’m disappointed that this announcement doesn’t include showing the user metadata about which application is signing in, from what location and IP address which is pretty much the standard nowadays for push notification based MFA.  

Microsoft

@yowershell @Ryan Morash , this change shouldn't affect the Apple Watch experience at all. Since the Watch has to be unlocked before you put it on, and it stays unlocked as long as it remains on your wrist, we consider an approval on the watch a pretty high guarantee that you're still the one who owns the watch and is doing the approving.

Microsoft

@Damien Rosario The form has expired. I've just privately messaged you the link to join our testFlight. Thanks.

Microsoft

@Ismael Carlo Thanks for the feedback. Adding additional context to push notifications is something we are working on for the future.

Brass Contributor

@Olena Huang 

My gut reaction is that this will make some people hate Authenticator and switch to SMS texting (if permitted).   The likelyhood of a passerby approving a notification seems pretty small when considering the total attack opportunities that MFA is supposed to prevent.  It would be better if we could selectively send this down via policy.

Microsoft

@philliplyle Thanks for the feedback. We feel that all users should have app lock on, from a security perspective. However, if the user can still go to Settings and opt out, if they choose. 

 

We are working on building a mechanism for admins to require their users to enable app lock via policy, and in this scenario, users won't be able to turn app lock off.

Copper Contributor

Will this be something that we will be able to configure as forced with an application protection policy? It's nice to have it as a default but from a compliance perspective that wouldn't be enough.

Microsoft

@Jeremy Cooper Yes, we are working on a way to allow admins to require end users to enable app lock. It won't be through App Protection Policy; we investigated that route and found it doesn't make sense for Authenticator, since the app is a mechanism for authentication. Instead, we're working on building a separate channel to enforce policy on the Authenticator app specifically.

Brass Contributor

@Olena Huang 

Is there a way we can stay up-to-date on the policy for the App Lock? 

Steel Contributor

@Olena Huang Adding the location and name of app, like Duo, which probably serve more to protect users, as mentioned above.  This is a good feature but that info is imperative for users to distinguish push attempts.  

Microsoft

@JacobSteentoft we'll be updating our Whats New strings in the app stores as we roll these changes out.

Copper Contributor

I've run into issues using passwordless login which seems to fail when app lock is enabled.  Has anyone else experienced this?  Essentially, when prompted to choose the correct number, the screen behind is still locked.  After choosing the correct number, you are then hit with two prompts for PIN/Biometric, and then the process fails saying something went wrong.

Microsoft

@Andrew Thompson seems like you're experiencing a bug. Next time it happens, you can go to Help->Send Logs and privately message me the incident ID so we can investigate. Thanks.

Copper Contributor

Hi

I´m confused regarding public account used for backup. When looking at the documentation I can only see Microsoft accounts used for backup. BUT... when I have tried with a G-mail account.... it sometimes works?! Should it work or not? And if not. If you look at a company, ruffle 50% have a private G-mail account. When will it be supported?  

Brass Contributor

You say that "App Lock will be enabled by default if you’ve set up a PIN or biometric on your device" - for clarification, will this be applied retrospectively to those devices who have already installed Authenticator before this change or is it only set by default for new installations? 

Steel Contributor

@Philip Leighton Pretty sure it it is existing users as well.  I can see the angry emails now. 

 

 

Microsoft

@ph_ly @Philip Leighton This change is for both existing users and new users. We believe everyone should have app lock enabled. This is part of our continuing effort to improve security. However, if existing users really do not want this behavior, they can disable it in the app settings.

Copper Contributor

So there is currently no way for admins to disable this feature globally and the only way to disable it is for the user themselves to opt out?  While on the surface more security is better in some scenarios, please understand that your customers may have reasons for not wanting/needing additional security.  Is there something in the works for allowing admins to globally disable this, and if yes, is there an ETA on the roll out?

Brass Contributor

I see where this is helpful, but for those who use the native mail app on the iPhone, it seems to get them stuck in a loop of approving MFA requests.  I've found it has to be turned off to keep our helpdesk sane.

Steel Contributor

@TBone1985 are you doing a PIN? I would like to recreate this issue. 

 

I have to test this.. If thats the case it would be devastating for us, as we have a lot of native mail holdouts. 

 

Brass Contributor

@ph_ly  - I have it setup in O365/Auze to notify me through the app.  When a user changes their password, they then have to authenticate via our ADFS page then the MS Auth app will prompt for approval.  If they just drag the request down and hit approve, things work fine because they are staying the mail app essentially, but if they click the request prompt, it takes them into the Authenticator app where they can then approve, but no logic takes them back to the Mail app (like it does with the Outlook app).  With this new App lock feature, it forces them to go to the MFA app so it causes my issues.  Currently, I am requesting my users to turn this feature off on the new app.  Hopefully you won't have the same situation.

 

I suspect M$ is wanting us to all use Outlook, but since iOS won't let you make a default mail app, using Outlook on iOS is pointless for most of my users.

Steel Contributor

Evidently changing the default app is part of iOS 14.  I think our users have had the same issue, and we have often enrolled them via SMS.

 

@Olena Huang Problems like this one are sending people away from authenticator and it seems like app lock is going to exascerbate the problem.  How can we possibly self service enroll users with such problems?  

Brass Contributor

Gotcha, IDK that actually.  Thanks for the heads up.  I am still on 12 because I know going to anything newer would kill my iPhone 8.  Most of my users are the same unfortunately.

Brass Contributor

@Olena Huang Thanks for following up, I tested multiple times over the last week and apart from the first day everything has been back to normal.  I still get a pop up to select the number before I actually unlock the app but after selecting the number, I'm then prompted for 2x facial recognition verifications back to back and it lets me in.

Copper Contributor

This is a good short term mitigation to an existing problem for many companies. I understand the use case of a child approving MFA by accident when playing with a parent's phone but this is something each enterprise has to weigh and can be mitigated with other configurations such as passwordless sign in. As stated by another person, it would be nice to control this policy at the tenant level and to target specific user groups.

 

Ideally, I would want to control this with am Intune MAM policy so it applies to non-managed devices and also have a way to disable using Intune MDM so users with managed devices only have to "unlock" the phone once. In other words, I love this feature on unmanaged devices but would prefer not to have it on my managed devices as I already have a control at the device level.

 

 

Microsoft

Thanks for the feedback all. We understand that some of you have concerns about opting-in users to a new behavior. We hear your concerns, and we do have a feature in the works to allow tenants to control whether App Lock is required or not, though we can't share any dates at this time.

 

To give a bit more background on this, and for those of you who have questions about MAM, we investigated using the existing MAM technology, but found that MAM doesn't make sense for Authenticator. There are a lot of conflicting requirements, since Authenticator is the mechanism for MFA and authentication in many scenarios. We are working on building a new mechanism that would allow admins to send policy down to the Authenticator app. Once we have that mechanism built, the first policy will be to allow admins to require or not require App Lock.

Microsoft

For those of you who are having issues with the iOS native mail app, that's a separate issue because of limitations set by the iOS platform. It's covered in our FAQ: aka.ms/AuthAppFAQ.

I've copied the pertinent information down below.

 

"While signing in to my work or school account using the default mail app that comes with iOS, I get prompted by Authenticator for my security verification information. After I enter that information and return to the mail app, I get an error. What can I do?

 

This most-likely happens because your sign-in and your mail app are occurring across two different apps, causing the initial background sign-in process to stop working and to fail. To try to fix this, we recommend you select the Safari icon on the bottom right side of the screen while signing in to your mail app. By moving to Safari, the whole sign-in process happens in a single app, allowing you to sign in to the app successfully."

Brass Contributor

@Olena Huang 

 

Thank for the FAQ.  I have found showing users how to just swipe down on the request saves us much headache.  For now, we'll just turn off the app lock.

Copper Contributor

"We made this wholesale change by default without explaining what it is or giving you an option at the point of contact!"  This is BAD user experience.  I do not know what rooms you folks live in where this is virtuous or desirable.  If you want me to be "safer" that's great.  Explain it to me, then give me an OPTION to accept your sage advice, or not!  This happens at least 3x a month with any given feature on the panoply of services we have to use and support. PLEASE STOP "HELPING ME" by default.  It's frustrating, not "helpful".

Copper Contributor

Now that this app lock has been turned on, our MS Authenticator gets stuck in a loop and our employees can no longer just click on the Approve button quick enough before the 12 second time limit cuts them off.  We use VPN for our remote employees so this means our employees also cannot access VPN in a timely manner and our helpdesk calls are going up daily. We have tried to change the 12 second time limit to 45 seconds and even 60 seconds with no luck so far and so it stays at 12 seconds. Half the time the face recognition or biometric doesn't work on either IOS or Android either. We are instructing our employees to turn off the app lock for now, so that they may access VPN, to do their jobs. The triple authentication is causing a lot of aggravation for our company employees.

Microsoft

@ddornberg  Thanks for your feedback. That is frustrating and we are looking into ways to improve the app lock experience so the biometric is more consistent and the overall experience is easier.

Copper Contributor

We also face issues now. Some circumstance stops the application from focus and the user don´t get the automatic notification. Please turn it off!

Microsoft

@ddornberg @Follow1975 Sorry to hear you're facing these issues. It's concerning that the authentication is taking so long (ie. more than 45 or 60 seconds). The next time this happens, would you mind going to Help->Send Logs and telling us the Incident ID? You can privately message me the Incident ID if you would like.

Copper Contributor

Our timeout feature seems to stem back to Cisco Anyconnect VPN that we use, but can't change the timeout from 12 seconds to a longer time frame as I spoke about in my thread above, so it would have been nice to know that this change was coming before it was pushed out to all of our devices company-wide.  I don't know how it is decided that if a few companies want this feature turned on, then every company in the world should be turned on too?  Our tech support department of 4 handles almost 800 employees who work in offices or at home and this is not easy especially now in the pandemic as every other IT department is finding out.

Copper Contributor

From a user viewpoint, I've been using MS Authenticator on my iPhone for some time with no problems. I don't have Touch ID enabled, but after this change, my phone is prompting for it in certain situations. I have no fingerprints enrolled and TouchID is not supposed to be required for anything, but when I try to view Website & App Passwords, or when I try to use Microsoft Authenticator, I'm prompted for Touch ID. In the case of MS Authenticator, it says App Lock is enabled. I have the option to enter my passcode or use Touch ID, but there's no way to enter a passcode - no on-screen keyboard, no options. Only a Cancel button. I can't turn AppLock off, because this has the same behavior. I have checked settings for Authenticator and there's no option to disable this. I've also removed and reinstalled Authenticator.

Copper Contributor

@KurtHenning

This morning I crafted a note to our whole company on how to disable the App Lock for IOS and Android and sent it. Within minutes I started receiving calls from employees who could not get the app lock to disable and ran into the same issue that Kurt ran into yesterday.  I finally was able to get the first employee's phone to disable, but on the second employee after trying for 20 minutes, told her to remove her pin code security completely, then disable the app lock and then re-enable the pin code on her phone and now she is again able to use her MFA in the manner she needs to so she may do her job.  This enabling it first without bothering to allow companies to do it has been extremely frustrating for our Tech Support group and for the employees who just want to do their job with the least amount of hassle during the time of extreme upheaval.

Microsoft

@ddornberg @KurtHenning Sorry for the difficulty you've been experiencing. We are looking into why you cannot disable app lock. If you encounter this again, could you go to Help->Send Logs and privately message me the Incident ID? Thank you.

Copper Contributor

I'm having the same issue as @KurtHenning.  How can I disable the App Lock?  I need to be able to Approve for sign-in for one of my clients and I'm unable to do so!!!

 

Microsoft

@MRAMSAHAI You can go to the Settings page in the app and turn it off. If that's not working, please go to Help->Send Logs and privately message me your incident ID. Sorry for the difficulty you're experiencing.

Copper Contributor

I figured out how to remove the Touch ID and able to enter my passcode - all I had to do was remove a finger -ouch!  iPhone > Settings > Touch ID and Passcode > remove Fingerprint 1.  Then in the Microsoft Authenticator app I was then able to "Enter iPhone passcode for "Authenticator" and proceed. 

@Olena Huang Yes, this new feature being enabled by default does wreck the Apple Watch experience. Confirmed with several users at my org. The watch notifies you that you have an approval but you have to go back to the phone to approve.  Disabling App Lock brings back the ability to approve on the watch itself.

Microsoft

@Kevin Crossman  Do you and your users have a passcode set on the Watch? If you do have a passcode, you should be able to approve on the Watch even when App Lock is enabled. If you don't have a passcode, we ask you to use your phone where this is a passcode.

Iron Contributor

@Olena Huang I have a passcode on my iPhone and Apple Watch and experience the same issue.

@Olena Huang Well, my phone has a passcode (like most phones tied to intune) and same for Watch. But once I put on the Watch and then unlock my phone then the Watch is unlocked until I take it off. Both seem like very common setups.

 

I'm not sure what App Lock is providing. My phone is locked and I get an Authenticator approval. I have to unlock the phone and then (when App Lock is on) it subsequently FaceID scans twice before approving. I do not understand why it needs to scan twice (after already FaceID scanning to unlock the device).

Copper Contributor

Watch Notifications are COMPLETELY BROKEN now when App Lock is enabled on Apple WatchOS 7 and iOS 14. Started this morning after I updated both of my Watch and iPhone yesterday. Here is the error message on my Watch as soon as I hit Approve. If I disable App Lock it starts working as expected. I was really giving App Lock a chance and hesitant to tell users to disable, but I am spending too much time troubleshooting with users to leave it enabled. Please re-consider making this the default without first giving Admins the ability to disable org-wide.

Apple WatchOS7 App Lock Authenticator Error.jpg

Microsoft

@GarrettFurr Sorry for issues you're experiencing. We'll look into it. Would you mind going to Help->Send Logs on your phone and sending logs. They'll send automatically and you can privately message me the incident ID.

Copper Contributor

@Olena Huang PM sent. Thank you!

Version history
Last update:
‎Jul 31 2020 12:29 PM
Updated by: