News

Microsoft Previews Password Storage via the Microsoft Authenticator App

• By Kurt Mackie
• 12/16/2020

Microsoft this week announced a preview of a user name and password autofill capability in the Microsoft Authenticator app.

The Microsoft Authenticator app is used to enable "multifactor authentication" before accessing apps or Web sites. Users verify their identities via a PIN or face scan. The autofill capability is new to the app, and lets Microsoft Authenticator serve as a user name and password storage service for more easily accessing apps and sites.

The password autofill capability in the Microsoft Authenticator app works with the Microsoft Edge browser, or there's a Microsoft Autofill extension for the Google Chrome browser. It's supported using those browsers on mobile operating systems, namely "iOS (iOS 12.0 and above) and Android (Android 6.0 and above)." Windows wasn't mentioned. There's a configuration process that mobile device users need to go through if they want to make the Microsoft Authenticator app their "default autofill provider" for storing passwords.

The benefit of having Microsoft Authenticator store and recall passwords is that end users perhaps will be encouraged to use complex passwords. At least, that notion was put forward by Alex Simons, corporate vice president of program management at the Microsoft Identity Division, in the announcement.

The preview only works for users having Microsoft accounts, which is associated with Microsoft's consumer-side credentialing service. It's currently disabled ("grayed out") for enterprises and organizations using Azure Active Directory-based work or school accounts. Organizations wanting it, though, can send a request to Microsoft.

Passwords only get saved when end users approve saving them. Microsoft Authenticator doesn't automatically save the passwords.

Microsoft claimed that the stored passwords are protected by the "biometrics and passcode" aspects of the Microsoft Authenticator app itself, according to an FAQ document:

Before you can autofill password on an app or site, Authenticator requires biometric or device passcode. This ensures that even if someone else has access to your device, they cannot fill or see your password, as they'd be unable to provide the biometric or device PIN. Furthermore, a user cannot open the Passwords page unless they provide biometric or PIN, even if they turn off App Lock in app settings.

Moreover, the passwords stored by Microsoft Authenticator on the device are encrypted. The decryption keys are never stored, though, but instead are "always generated on the fly." Microsoft uses Secure Sockets Layer-protected HTTPS connections to sync the passwords.

Microsoft likely will offer the autofill capability of the Microsoft Authenticator app to organizations at some point. Organizations wanting to test it now, though, will have to enable it for everyone.

According to the FAQ, "enterprises can only enable passwords autofill for all or none of their employees at this time," adding that "we will gradually expand these controls."

Joe Belfiore, Microsoft's corporate vice president for the Experiences and Devices Division, praised the new feature in a Twitter post. It'll make passwords used with Microsoft Edge browsers be available "like magic" for mobile phone apps, he suggested.