Blog Post

Microsoft Entra Blog
3 MIN READ

The latest enhancements in Microsoft Authenticator

Nitika Gupta's avatar
Nitika Gupta
Icon for Microsoft rankMicrosoft
Oct 22, 2024

Hi folks,

 

I'm thrilled to announce three major Microsoft Entra ID advancements that will help you protect your users with phishing-resistant authentication:

  • Public preview refresh: Device-bound passkey support in Microsoft Authenticator
  • Public preview: Support for FIDO2 security keys on native brokered applications, such as Outlook and Teams, on Android 14
  • General availability: FIPS compliance for Microsoft Authenticator on Android

 

These advancements are crucial, not only for adhering to the US Executive Order 14028 on Improving the Nation's Cybersecurity, but also for safeguarding all organizations and users who rely on secure digital identities. Let’s dig deeper!

 

Public preview refresh: Device-bound passkey support in Microsoft Authenticator

 

During World Password Day in May, we announced the public preview of device-bound passkey support in Microsoft Authenticator for iOS and Android, tailored for organizations with higher security assurance requirements. We’re now refreshing this feature with some exciting new capabilities! 

 

During public preview, we received valuable feedback from customers that the registration experience for passkeys can be cumbersome and error-prone. Some users, when registering from their laptops, encountered as many as 19 steps, missed essential prerequisites like enabling Bluetooth on their device, or inadvertently set up their passkey with an unsupported provider. Based on this feedback, we’ve improved the registration flow to provide a more tailored experience to ensure users are successful when registering their passkey. We've also optimized the registration process by initially directing users to sign into the Authenticator app. This approach provides a seamless experience, guiding users through prerequisites, while significantly reducing contextual switches between devices.

 

In addition to enhancing the user experience, we’ve also strengthened the security posture by introducing attestation support. When configured, we leverage Android and iOS APIs to verify the legitimacy of the Microsoft Authenticator app on the user's device prior to registering the passkey.

 

Figure 1: Passkey in Microsoft Authenticator

 

Figure 2: Passkey in Microsoft Authenticator

 

Figure 3: Passkey in Microsoft Authenticator

 

Figure 4: Passkey in Microsoft Authenticator

 

These two capabilities are now in preview, and we highly encourage you to start piloting these features in your organization and share your feedback with us as we prepare for general availability coming soon. 

 

To get started, please refer to our documentation. To learn more about passkey support in Microsoft Entra ID, please read our original announcement, Public preview: Expanding passkey support in Microsoft Entra ID.

 

Public preview: Passkey (FIDO2) authentication in brokered Microsoft applications on Android

 

In conjunction to the public preview refresh of passkey support in Microsoft Authenticator, we’re also introducing public preview support for passkey (FIDO2) authentication within brokered Microsoft applications on Android. Users can now use a FIDO2 security key or passkey in the Microsoft Authenticator app to sign into Microsoft apps, such as Teams and Outlook, when either the Microsoft Authenticator app or Microsoft Intune Company Portal app is installed as the authentication broker on an Android 14+ device.

 

Support for FIDO2 security key sign-in to brokered Microsoft apps on Android 13 will be coming in the following months.

 

General availability: FIPS compliance for Microsoft Authenticator on Android

 

Microsoft Authenticator on both iOS and Android is now FIPS 140 compliant. While iOS Authenticator app has been FIPS 140 compliant since December 2022, we released the FIPS 140 compliant version of the Android Authenticator app in September 2024. 

 

FIPS 140 compliance for Microsoft Authenticator helps federal agencies meet the requirements of Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” and healthcare organizations with Electronic Prescriptions for Controlled Substances (EPCS).   

 

All authentications in Microsoft Entra ID with Authenticator including passkeys, passwordless phone sign-in, multifactor authentication (MFA), and one-time password codes are considered FIPS compliant.  No changes in configuration are required in Microsoft Authenticator or Microsoft Entra ID admin center to enable this capability. Users on Microsoft Authenticator version 6.2408.5807 and higher on Android will be FIPS 140 compliant by default for Microsoft Entra ID authentication. 

 

Microsoft Authenticator on Android uses WolfSSL Inc.’s wolfCrypt module to achieve FIPS 140-3 Level 1 compliance. For additional details on the certification being used, refer to Cryptographic Module Validation Program information.

 

With these releases, we’ve significantly upleveled the user experience and security posture of Microsoft Authenticator, making it easier for you to achieve your phishing-resistance goals. If you haven't considered phishing-resistance yet, we highly recommend doing so. You can use our updated passwordless deployment guide to get started on this journey.

 

We look forward to you trying out these improvements and sharing your feedback. 

 

Thank you,

Nitika Gupta

 

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

 

Updated Oct 23, 2024
Version 2.0
  • hitech9x's avatar
    hitech9x
    Brass Contributor

    Nitika Gupta,

    Any thoughts around allowing the Microsoft Authenticator App (AppID: 4813382a-8fa7-425e-ab75-3b753aab3abb) selective targeting via conditional access? Working for a large corp. and forcing an app protection policy by default to all apps for BYOD scenarios with iOS / Android. The issue is that the CA policy blocks sign-in from the authenticator app because it doesn't support an app protection policy, and there is no way to exclude it from what I can tell.  Using the cross-device setup by scanning QR code from PC works, but signing in directly from authenticator app doesn't.  This is the case for setting up passkey like above, but also for registering MFA directly from the device.

    It's a pretty big limitation not being able to target the authenticator app given that for BYOD scenarios, we want to block most app by default and selectively allow only things that support an app protection policy. If I could just exclude the authenticator app life would be much easier.

    I also submitted this here about 3 months ago and haven't heard anything: https://feedback.azure.com/d365community/idea/79700c7f-fd48-ef11-b4ac-000d3a7b1c7e

  • Rafal_Fitt's avatar
    Rafal_Fitt
    Iron Contributor

    This is great news!

    "Users can now use a FIDO2 security key or passkey" - will it work properly with applications in Work Profile (BYOD or COPE scenarios)?

    • Alber's avatar
      Alber
      Iron Contributor

      Microsoft Authenticator App is not even ever an approved app nor an application protection policy applicable app.

      Before this preview everything works fine.

      Something must be wrong.

  • Laurie_Aldam's avatar
    Laurie_Aldam
    Copper Contributor

    This seems like an easier an easier process for end users.

     

    Are there any plans to be able to set the Authenticator app as a passkey provider with Intune for managed devices?

     

    If this is possible then it would make the process a bit easier for our end users.

  • AndrewRX's avatar
    AndrewRX
    Copper Contributor

    After enabling as an authenticator in Entra ID, we are seeing Android Authenticator fail on the Conditional Access 'Require approved app' grant. iPhone currently doesn't even attempt enrollment of passkey.

  • john66571's avatar
    john66571
    Brass Contributor

    So, bluetooth is considered a breach protocol in yellow and red zones. Will there be USB support?

  • AndrewRX's avatar
    AndrewRX
    Copper Contributor

    Rafal_Fitt Have already migrated as per that guidance to: Require one of the selected controls: Require approved client app and Require app protection policy.