Many customers work in environments with security and compliance concerns requiring authenticators to use cryptography validated by the Federal Information Processing Standards (FIPS) 140 (reference NIST SP 800-63B). We're excited that Microsoft Authenticator on iOS is now FIPS 140 compliant (Android coming soon). Authenticator version 6.6.8 and higher on iOS is FIPS 140 compliant for all Azure Active Directory (Azure AD) authentications using push multifactor authentications (MFA), Passwordless Phone Sign-In (PSI), and time-based one-time passcodes (TOTP).
FIPS 140 compliance for Authenticator also helps federal agencies meet the requirements of Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” and healthcare organizations with Electronic Prescriptions for Controlled Substances (EPCS).
No changes in configuration are required in the Authenticator app or Azure Portal to enable this capability. Users on Authenticator version 6.6.8 and higher on iOS are FIPS 140 compliant by default for Azure AD authentications.
Authenticator leverages the native Apple cryptography to achieve FIPS 140, Security Level 1 compliance on Apple iOS devices. For more information about the certifications being used, reference the Apple CoreCrypto module.
As always, we want to hear from you! Feel free to leave comments down below or reach out to us on aka.ms/AzureADFeedback.
Best regards,
Alex Weinert (@Alex_T_Weinert)
VP Director of Identity Security, Microsoft
Learn more about Microsoft identity:
- Related Articles: Advanced Microsoft Authenticator security features are now generally available!, Authentication strength – choose the right auth method for your scenario!, Defend your users from MFA fatigue attacks
- Get to know Microsoft Entra – a comprehensive identity and access product family
- Return to the Microsoft Entra (Azure AD) blog home
- Join the conversation on Twitter and LinkedIn
- Share product suggestions on the Entra (Azure AD) forum
Microsoft
