Microsoft Authenticator
Microsoft describes the Authenticator as “More secure. Passwords can be forgotten, stolen, or compromised. With Authenticator, your phone provides an extra layer of security on top of your PIN or fingerprint.”. As a naturally curious security professional, I am constantly trying out new security services and decided to test Microsoft’s. Jun 10, 2021 Set up the Microsoft Authenticator app from the Security info page. Depending on your organization’s settings, you might be able to use an authentication app as one of your security info methods. You aren't required to use the Microsoft Authenticator app, and you can choose a different app during the set up process.
- Microsoft Authenticator App Windows 10
- Microsoft Authenticator App Windows
- Microsoft Authenticator Qr Code
The National Institute of Standards and Technology (NIST) develops the technical requirements for US federal agencies that are implementing identity solutions. NIST SP 800-63B defines the technical guidelines for the implementation of digital authentication. It does so with a framework of authenticator assurance levels (AALs). AALs characterize the strength of the authentication of a digital identity. The guidance also covers the management of the lifecycle of authenticators, including revocation.
The standard includes AAL requirements for these requirement categories:
Permitted authenticator types
Federal Information Processing Standards 140 (FIPS 140) verification level (FIPS 140 requirements are satisfied by FIPS 140-2 or newer revisions)
Reauthentication
Security controls
Man-in-the-middle (MitM) resistance
Verifier-impersonation resistance (phishing resistance)
Verifier-compromise resistance
Replay resistance
Authentication intent
Records retention policy
Privacy controls
Apply NIST AALs in your environment
Tip
We recommend that you meet at least AAL2. Meet AAL3 if necessary for business reasons, industry standards, or compliance requirements.
In general, AAL1 isn't recommended because it accepts password-only solutions, and passwords are the most easily compromised form of authentication. For more information, see the following blog post: Your Pa$$word doesn't matter.
While NIST doesn't require verifier impersonation (also known as credential phishing) resistance until AAL3, we highly advise that you address this threat at all levels. You can select authenticators that provide verifier impersonation resistance, such as requiring that devices be joined to Azure Active Directory (Azure AD) or hybrid Azure AD. If you're using Office 365, you can use Office 365 Advanced Threat Protection, and specifically its Anti-phishing policies.
As you evaluate the appropriate NIST AAL for your organization, consider whether your entire organization must meet NIST standards. If there are specific groups of users and resources that can be segregated, you might be able to apply the NIST AAL configurations to only a specific group of users and resources.
Security controls, privacy controls, records retention policy
Azure and Azure Government have earned a provisional authority to operate (P-ATO) at the NIST SP 800-53 High Impact level from the Joint Authorization Board. This level represents the highest bar for FedRAMP accreditation, and it authorizes the use of Azure and Azure Government to process highly sensitive data.
These Azure and Azure Government certifications satisfy the security controls, privacy controls, and records retention policy requirements for AAL1, AAL2, and AAL3.
The FedRAMP audit of Azure and Azure Government included the information security management system that encompasses infrastructure, development, operations, management, and support of in-scope services. When a P-ATO is granted, a cloud service provider still requires an authorization (an ATO) from any government agency it works with. For Azure, a government agency, or organizations working with them, can use the Azure P-ATO in its own security authorization process. The agency or organization can rely on it as the basis for issuing an agency ATO that also meets FedRAMP requirements.
Azure continues to support more services at FedRAMP High Impact levels than any other cloud provider. And while FedRAMP High in the Azure public cloud meets the needs of many US government customers, agencies with more stringent requirements rely on Azure Government. Azure Government provides additional safeguards, such as the heightened screening of personnel. Microsoft lists all Azure public services currently available in Azure Government to the FedRAMP High boundary, as well as services planned for the current year.
In addition, Microsoft is fully committed to protecting and managing customer data with clearly stated records retention policies. As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist you. To view a complete list of our compliance offerings, see Microsoft compliance offering.
Next steps
Achieve NIST AAL3 with Azure AD
-->The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android and iOS. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication events.
Users may receive a notification through the mobile app for them to approve or deny, or use the Authenticator app to generate an OATH verification code that can be entered in a sign-in interface. If you enable both a notification and verification code, users who register the Authenticator app can use either method to verify their identity.
To use the Authenticator app at a sign-in prompt rather than a username and password combination, see Enable passwordless sign-in with the Microsoft Authenticator app.
Note
Users don't have the option to register their mobile app when they enable SSPR. Instead, users can register their mobile app at https://aka.ms/mfasetup or as part of the combined security info registration at https://aka.ms/setupsecurityinfo.
Passwordless sign-in
Instead of seeing a prompt for a password after entering a username, a user that has enabled phone sign-in from the Microsoft Authenticator app sees a message to tap a number in their app. When the correct number is selected, the sign-in process is complete.
This authentication method provides a high level of security, and removes the need for the user to provide a password at sign-in.
To get started with passwordless sign-in, see Enable passwordless sign-in with the Microsoft Authenticator app.
Notification through mobile app
The Authenticator app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the notification, and if it's legitimate, select Verify. Otherwise, they can select Deny.
Note
Microsoft Authenticator App Windows 10
If your organization has staff working in or traveling to China, the Notification through mobile app method on Android devices doesn't work in that country/region as Google play services(including push notifications) are blocked in the region. However iOS notification do work. For Android devices ,alternate authentication methods should be made available for those users.
Verification code from mobile app
The Authenticator app can be used as a software token to generate an OATH verification code. After entering your username and password, you enter the code provided by the Authenticator app into the sign-in interface. The verification code provides a second form of authentication.
Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time.
Warning
To ensure the highest level of security for self-service password reset when only one method is required for reset, a verification code is the only option available to users.
When two methods are required, users can reset using either a notification or verification code in addition to any other enabled methods.
Next steps
Microsoft Authenticator App Windows
To get started with passwordless sign-in, see Enable passwordless sign-in with the Microsoft Authenticator app.
Microsoft Authenticator Qr Code
Learn more about configuring authentication methods using the Microsoft Graph REST API.