News
Microsoft Tweaks Authenticator with Added Passkey Support, FIPS Compliance
Microsoft is updating its Authenticator app to be even more "phishing-resistant," Microsoft announced Tuesday.
Organizations use Authenticator to implement multifactor authentication (MFA) on iOS and Android devices. Microsoft has long touted the app as a phishing deterrent. The enhancements announced this week are designed to improve its "user experience and security posture," making it easier for organizations to meet their "phishing-resistance goals," according to Microsoft.
Passkey Management Improvements
For Android 14+ devices, a new feature enabling Authenticator to support FIDO2 passkeys in brokered Microsoft apps is now in public preview.
"Users can now use a FIDO2 security key or passkey in the Microsoft Authenticator app to sign into Microsoft apps, such as Teams and Outlook, when either the Microsoft Authenticator app or Microsoft lntune Company Portal app is installed as the authentication broker," Microsoft explained.
Android 13 devices are expected to receive this feature in coming months, per Microsoft.
Additionally, Microsoft has improved Authenticator's device-bound passkey capability, which has been in public preview since May. This feature lets organizations in highly regulated industries use device-bound passkeys (i.e., cryptographic keys that are tied to and stored on a specific device and cannot be transferred to another) by hosting them in Authenticator.
However, since the public preview's release, users have struggled to use the feature to register their device-bound passkeys. "Some users, when registering from their laptops, encountered as many as 19 steps, missed essential prerequisites like enabling Bluetooth on their device, or inadvertently set up their passkey with an unsupported provider," Microsoft explained.
Based on user feedback, Microsoft has made this preview capability more seamless and user-friendly, reducing the likelihood of errors. Users must now first sign into Authenticator to begin the registration process. A new attestation step verifies the legitimacy of the Authenticator app using Android and iOS APIs.
Android FIPS Compliance
Nearly two years after the Authenticator app for iOS became compliant with the FIPS 140 standard, the Android app has reached the same milestone.
The Federal Information Processing Standard (FIPS) 140 describes a cryptographic security framework for devices used by U.S. government agencies. Compliance with the FIPS 140 means organizations that use Authenticator meet the requirements of the Biden administration's Executive Order 14028, which requires government agencies to use phishing-resistant authentications.
"All authentications in Microsoft Entra ID with Authenticator including passkeys, passwordless phone sign-in, multifactor authentication (MFA), and one-time password codes are considered FIPS compliant," said Microsoft. "No changes in configuration are required in Microsoft Authenticator or Microsoft Entra ID admin center to enable this capability."