Microsoft Previews Authenticator Lite for Outlook Mobile Apps
Microsoft on Tuesday announced a public preview of a new "Authenticator Lite" solution for Outlook Mobile apps.
While Microsoft described Authenticator Lite as being a public preview release, not all organizations using Azure Active Directory will have access to it. It may not be available because the "rollout has not yet completed across Outlook applications," Microsoft indicated in this document on Authenticator Lite.
If Authenticator Lite is available for a Azure AD tenancy, then it's possible for IT departments to enable or disable it using the "Entra portal via the Authenticator configuration page" or via the Microsoft Graph.
Microsoft Managed Setting
IT departments also have the option to use a "Microsoft Managed" setting, where Azure Active Directory will make the decision to enable or disable certain features. This setting can be used to let Microsoft turn on default Authenticator Lite capabilities, for instance.
Here's how the Microsoft Managed setting was described in this Microsoft document:
The option to let Azure AD manage the setting is a convenient way for an organization to allow Microsoft to enable or disable a feature by default. Organizations can more easily improve their security posture by trusting Microsoft to manage when a feature should be enabled by default. By configuring a setting as Microsoft managed (named default in Graph APIs), IT admins can trust Microsoft to enable a security feature they haven't explicitly disabled.
This Microsoft Managed capability doesn't always turn on all protections. For instance, the location and application name notifications in Microsoft Authenticator's push notifications, which are designed to give end users additional clues about authentication prompts, are presently disabled under the Microsoft Managed scheme, Microsoft's document explained.
One caveat for Microsoft Managed setting users is that Microsoft intends to enable Authenticator Lite on May 26, 2023 for all users with tenancies using that setting. "If you wish to change the state of this feature, please do so before May 26th, 2023," Microsoft's Authenticator Lite document stated.
Reasons To Use Authenticator Lite
Authenticator Lite, which is getting embedded into the Outlook Mobile apps for Android and iOS client devices, offers an alternative to text- or voice-based secondary authentication methods. It uses push notifications to prompt end users for authentications. Users also will have access to a time-based one-time password (TOTP) via the Authenticator Lite app.
Authenticator Lite also prompts end users to enter a displayed number, which is a protection against so-called "multifactor authentication (MFA) fatigue." With MFA fatigue attacks, an attacker has already compromised a user's password but still needs to get the user to verify the secondary authentication prompt, so they bombard the user with such prompts. An attacker typically can't see an authentication number, though.
Microsoft previously argued in this 2020 announcement that text and voice prompts used for MFA are old public switched telephone network approaches that are "the least secure of the MFA methods available today." Those methods use protocols that don't enable encryption, and so the "signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device."
Microsoft already has an Authenticator app that can be used on mobile devices with Outlook. However, "Authenticator Lite, as the name suggests, will extend a subset of the Authenticator's capabilities into Outlook," the announcement explained. The differences between the two Authenticators weren't described, though.
The Authenticator app sometimes can be installed with Authenticator Lite, but there are nuances. Here's how it was characterized in the Authenticator Lite document:
Users that have Microsoft Authenticator on their device can't register Authenticator Lite on that same device. If a user has an Authenticator Lite registration and then later downloads Microsoft Authenticator, they can register both. If a user has two devices, they can register Authenticator Lite on one and Microsoft Authenticator on the other.
Authenticator Lite was described as being "only available on Outlook mobile." It's not available for the Outlook desktop app.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.