The latest enhancements in Microsoft Authenticator

Hi folks,

I'm thrilled to announce three major Microsoft Entra ID advancements that will help you protect your users with phishing-resistant authentication:

• Public preview refresh: Device-bound passkey support in Microsoft Authenticator
• Public preview: Support for FIDO2 security keys on native brokered applications, such as Outlook and Teams, on Android 14
• General availability: FIPS compliance for Microsoft Authenticator on Android

These advancements are crucial, not only for adhering to the US Executive Order 14028 on Improving the Nation's Cybersecurity, but also for safeguarding all organizations and users who rely on secure digital identities. Let’s dig deeper!

Public preview refresh: Device-bound passkey support in Microsoft Authenticator

During World Password Day in May, we announced the public preview of device-bound passkey support in Microsoft Authenticator for iOS and Android, tailored for organizations with higher security assurance requirements. We’re now refreshing this feature with some exciting new capabilities! 

During public preview, we received valuable feedback from customers that the registration experience for passkeys can be cumbersome and error-prone. Some users, when registering from their laptops, encountered as many as 19 steps, missed essential prerequisites like enabling Bluetooth on their device, or inadvertently set up their passkey with an unsupported provider. Based on this feedback, we’ve improved the registration flow to provide a more tailored experience to ensure users are successful when registering their passkey. We've also optimized the registration process by initially directing users to sign into the Authenticator app. This approach provides a seamless experience, guiding users through prerequisites, while significantly reducing contextual switches between devices.

In addition to enhancing the user experience, we’ve also strengthened the security posture by introducing attestation support. When configured, we leverage Android and iOS APIs to verify the legitimacy of the Microsoft Authenticator app on the user's device prior to registering the passkey.

Figure 1: Passkey in Microsoft Authenticator

These two capabilities are now in preview, and we highly encourage you to start piloting these features in your organization and share your feedback with us as we prepare for general availability coming soon. 

To get started, please refer to our documentation. To learn more about passkey support in Microsoft Entra ID, please read our original announcement, Public preview: Expanding passkey support in Microsoft Entra ID.

Public preview: Passkey (FIDO2) authentication in brokered Microsoft applications on Android

In conjunction to the public preview refresh of passkey support in Microsoft Authenticator, we’re also introducing public preview support for passkey (FIDO2) authentication within brokered Microsoft applications on Android. Users can now use a FIDO2 security key or passkey in the Microsoft Authenticator app to sign into Microsoft apps, such as Teams and Outlook, when either the Microsoft Authenticator app or Microsoft Intune Company Portal app is installed as the authentication broker on an Android 14+ device.

Support for FIDO2 security key sign-in to brokered Microsoft apps on Android 13 will be coming in the following months.

General availability: FIPS compliance for Microsoft Authenticator on Android

Microsoft Authenticator on both iOS and Android is now FIPS 140 compliant. While iOS Authenticator app has been FIPS 140 compliant since December 2022, we released the FIPS 140 compliant version of the Android Authenticator app in September 2024. 

FIPS 140 compliance for Microsoft Authenticator helps federal agencies meet the requirements of Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” and healthcare organizations with Electronic Prescriptions for Controlled Substances (EPCS).   

All authentications in Microsoft Entra ID with Authenticator including passkeys, passwordless phone sign-in, multifactor authentication (MFA), and one-time password codes are considered FIPS compliant.  No changes in configuration are required in Microsoft Authenticator or Microsoft Entra ID admin center to enable this capability. Users on Microsoft Authenticator version 6.2408.5807 and higher on Android will be FIPS 140 compliant by default for Microsoft Entra ID authentication. 

Microsoft Authenticator on Android uses WolfSSL Inc.’s wolfCrypt module to achieve FIPS 140-3 Level 1 compliance. For additional details on the certification being used, refer to Cryptographic Module Validation Program information.

With these releases, we’ve significantly upleveled the user experience and security posture of Microsoft Authenticator, making it easier for you to achieve your phishing-resistance goals. If you haven't considered phishing-resistance yet, we highly recommend doing so. You can use our updated passwordless deployment guide to get started on this journey.

We look forward to you trying out these improvements and sharing your feedback. 

Thank you,

Nitika Gupta

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog 
• ⁠⁠Microsoft Entra blog | Tech Community 
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community