Microsoft Authenticator app lock now enabled by default

This post has been republished via RSS; it originally appeared at: Azure Active Directory Identity Blog articles.

Howdy folks,

 

We’re always listening to your feedback about Microsoft Authenticator and what we can do to make the app more secure and easier for end users. A few years ago, we released our App Lock feature in response to feedback that you wanted to make sure your app was secured by a PIN or biometric. Last month, we expanded App Lock’s protection. Now, if App Lock is enabled, when you approve any notification, you’ll also have to provide your PIN or biometric.

 

With our latest release, as part of our effort to make your sign-in experience even more secure, App Lock will be enabled by default if you’ve set up a PIN or biometric on your device.

 

authapp1.png

 

Try it out

If you don’t have the Microsoft Authenticator app yet, get it here. You’ll need to be on version 6.4.22+ on iOS to try this out.

 

We’ve been rolling out this feature to iOS TestFlight starting today, and we’ll be gradually rolling out to all users over the next few weeks. The update will come to Android next month.

 

How different notifications will work

Azure AD and MSA MFA notifications

Currently, when the notification arrives on the phone, you can click approve/deny from the lock screen. However, when app lock is enabled, you will have to launch the app (on iOS) or launch a dialog (on Android) before you can click approve/deny, and you’ll also need to provide an additional PIN/bio gesture to successfully authenticate. Thus, even if you leave your phone unlocked on your desk and walk away, a passerby cannot approve the notification for you.

 

authapp2.png

 

Enterprise on-premise MFA notifications that already require a PIN

 

The flow will remain as it is today. After you interact with the notification, you will need to provide your MFA pin (not your device pin). In subsequent approvals, you will have the option to use your device bio gesture instead of your MFA pin.

 

Azure AD and MSA Phone sign-in notifications

 

The flow will remain as it is today.

 

Additional questions


If you have questions, check out our FAQ page.

Also, we want to hear from you! Feel free to leave comments down below or reach out to us on Twitter (@AzureAD)

 

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

Learn more about Microsoft identity:

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.