News

Microsoft Previews Authenticator Companion App for Apple Watch

• By Kurt Mackie
• 08/27/2018

Microsoft on Monday announced a preview of the Microsoft Authenticator companion app for use on the Apple Watch.

It's a companion app, so it works in conjunction with the Microsoft Authenticator app version 6.0.0 (or higher) for the Apple iPhone. Microsoft expects that the Apple Watch Authenticator companion app will reach "general availability" (commercial-ready status) "within the next few weeks."

The Microsoft Authenticator companion app only works with Microsoft accounts, which can be personal, work or school accounts. People who want to use other sign-in accounts, such as Facebook or Google accounts, will have to use the Microsoft Authenticator app directly on their mobile phones, according to Microsoft's FAQ document.

Using the Apple Watch with the Microsoft Authenticator app is an alternative to using a smartphone to respond to identity sign-in verification notices. Users typically get identity sign-in verification notices when two-factor identification is required to grant access to network resources, such as apps and files. Typically, a phone call response or PIN text response from the end user is needed to secondarily affirm a user's identity in such situations. The use of the Microsoft Authenticator companion app for the Apple Watch permits the end user to approve a sign-in notification request via a PIN or biometric response, Microsoft's announcement explained.

Here's how Microsoft conceives of the Apple Watch as part of the two-factor authentication process:

From a security standpoint, we still consider the experience on the Watch as two-step verification. The first factor is your possession of the Watch. The second factor is the PIN that only you know. 

The Apple Watch needs to be set up to accept push notifications, and the watch needs to be paired with a mobile phone for setup purposes. The watch needs to be unlocked for the two-step verification scheme to work. If the watch is within range of the paired phone, it'll stay unlocked.

The Microsoft Authenticator for the Apple Watch requires running Apple watchOS 4.0 or higher.

In other Microsoft identity and access news, Microsoft noted its support last week for the Token Binding specification being shepherded by the Internet Engineering Task Force (IETF). Token Binding is a client device-based means of verifying user access to resources.

While cookies and tokens are typically used during the user authentication process, they "can be used outside of the original TLS [Transport Layer Security protocol] context in all sorts of malicious ways," explained Pamela Dingle, director of identity standards on the Azure Active Directory team, in an announcement. The Token Binding approach will be an improvement over the old bearer token approach because it compares cryptographic material sampled at the time of token issuance to cryptographic material sampled at the time of token use.

"Token binding makes cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens unusable outside of the client-specific TLS context in which they were issued," Dingle explained.

Microsoft sees Token Binding as being a long-term prospect for improving identity assurance. It will require future testing by vendors, but the spec currently is "well on its way towards final ratification" by the IETF, Microsoft indicated.