Big Changes Coming to Microsoft Authenticator Apps

UPDATE: I received some good news from Microsoft. See below. –Paul

Microsoft announced that it will ship new versions of its Microsoft Authenticator app to “all mobile app stores—meaning for Android, iPhone, and Windows 10 Mobile—on August 15. This new app will combine the functionality from two previous authenticator apps and will work with both consumer Microsoft accounts and business-focused Azure AD accounts.

Confused? Well, that’s why Microsoft is consolidating its previously-separate authenticator apps into a single app experience on each mobile platform. But it appears that this new “one app” approach won’t work with non-Microsoft accounts (Google, Dropbox, etc.) unless I’m missing something. And that will limit its appeal.

Like other similar solutions—I’ve been using LastPass Authenticator recently, and Google has been working to simplify this process as well—the new Microsoft Authenticator app will let you use multi-factor authentication(MFA), or what’s sometimes called two-factor authenticationor two-step authentication in the consumer world, with your online accounts.

Whatever the name, the idea here is as simple as it is effective: MFA improves the security of your online accounts by adding a second “factor” to the authentication process used to prove that you are you. For those consumer-oriented online accounts, the first factor is always your password. The second factor is usually a code generated by a smart phone app, or sent via text message to your smart phone.

I strongly recommend that you use MFA on all of your online accounts that support this method of authentication—most now do—because it’s much more secure than just using a password. And if hackers somehow gain control of your account(s), they will stymied by not having access to one or more of the authentication factors needed to access the contained information.

As I noted in Tip: Protect Your Online Accounts with Two-Factor Authentication, “the inclusion of your smart phone to the mix is important. A password is something that you know. But your smart phone is something you possess, something that will typically be with you at all times (and will itself be protected by at least a four-digit PIN of its own). The theory here is that, yes, hackers could potentially steal your password, but they won’t also have your smart phone—or other second factor, whatever that may be—so they won’t be able to seize control of your account.”

As noted, the most typical way to use MFA is with a smartphone-based authenticator app of some kind. The problem is, these apps sometimes work a bit differently, or only on certain platforms, or only with certain account types.

Standard authenticator apps, like Microsoft Authenticator on Windows phone, Google Authenticator on Android and iOS, or LastPass Authenticator, just sit there and generate codes for each account. So when you get a second factor request during a sign-in, you have to wake up your phone, find the app, look at and memorize the code, and then type it in (on your PC, if that’s what you’re using, or wherever the request is coming from).

That works, but there are better ways. Today, for example,the very best authenticator app is from Microsoft … but it only works on Android, and it only works with Microsoft Accounts(!). Oh, it get weirder: The app is called Microsoft Account. But it works brilliantly: When you get a second factor request on your PC or elsewhere, the Microsoft Account app on your Android phone displays a notification so you can approve it by just tapping the screen. It’s great. If you’re using Android. And only need to protect a Microsoft account.

Microsoft is apparently trying to bridge these solutions now with a single app that supports Android, iPhone and Windows 10 Mobile (and not older Windows Phone OS versions) … and that works with Microsoft accounts and corporate Azure AD accounts. If this thing worked with any online account—it’s not clear from the announcement—it would be the only authenticator app anyone would need.

“As many of you know, we’ve had separate authenticator apps for Microsoft account and Azure AD for quite a while – the Azure Authenticator for enterprise customers and the Microsoft account app for consumers,” Microsoft’s Alex Simons explains. “With the new Microsoft Authenticator, we’ve combined the best of both into a single app that supports enterprise and consumer scenarios.”

Here’s what Simons says the new app will provide:

User experience refresh. The app experience is incredibly simple while maintaining the highest level of security.

Best in breed MFA experience through one-click push notifications. You only need to click the ‘approve’ button in the notification to complete your login. (And in most cases, you won’t even need to open the app to complete the approval.)

Support for wearables. You can use an Apple Watch or Samsung Gear device to approve MFA challenges. Microsoft Band will be supported in future releases, Mary Jo Foley was told.

Finger prints instead of passcodes. The app supports fingerprint-based approvals on both iPhone and Android. Windows Hello support is also coming in a future update on Windows 10 Mobile, Ms. Foley likewise reports.

Certificate based authentication. Support for enterprise customers to sign in through certificates instead of passwords.

So this is good news. And great news if this thing actually works with any online account that supports MFA.

UPDATE: It’s great news. Microsoft tells me that its new Authenticator apps will in fact work with any online account that supports MFA.

@Alex_A_Simons: @thurrott Just read your article. Microsoft Authenticators will support OATH at GA! I use with Facebook & Google all the time now.