Key Takeaways:
- Microsoft has strengthened its Authenticator app with phishing-resistant device-bound passkeys.
- Microsoft Authenticator has streamlined the passkey registration process.
- Microsoft has introduced FIDO2 authentication support for apps like Teams and Outlook on Android.
Microsoft has rolled out advanced phishing-resistant capabilities for its Authenticator app. The latest update includes enhancements to the device-bound passkey feature, which has been in public preview since May, offering users a stronger defense against phishing attacks.
Microsoft Authenticator’s device-bound passkeys improve security by linking each passkey to a specific device. These passkeys use public-private key cryptography to protect users against phishing attacks in enterprise environments.
Since the public preview release, some customers have faced difficulties registering their device-bound passkeys. In response, the company has incorporated user feedback to improve the passkey registration experience.
“Based on this feedback, we’ve improved the registration flow to provide a more tailored experience to ensure users are successful when registering their passkey. We’ve also optimized the registration process by initially directing users to sign into the Authenticator app,” Microsoft explained.
Microsoft has introduced attestation support to verify the authenticity of the Authenticator app using Android and iOS APIs. These features, which are currently in public preview, will hit general availability in the coming months.
FIDO2 passkey authentication in brokered Microsoft apps on Android
Microsoft has also added passkey (FIDO2) authentication support for brokered Microsoft apps on Android. This allows users to log into apps like Microsoft Teams and Outlook using a FIDO2 security key or passkey. However, it requires the installation of either the Authenticator app or the Intune Company Portal app on Android 14+ devices, with support for Android 13 devices coming soon.
FIPS compliance for Microsoft Authenticator on Android
Finally, Microsoft has announced the general availability of FIPS compliance for its Authenticator app on Android. This update helps organizations and federal agencies meet the requirements of Executive Order 14028, which mandates the use of phishing-resistant authentication methods.
FIPS compliance support has been available in public preview for iOS devices since December 2022. This feature is now also enabled by default for all users running Microsoft Authenticator version 6.2408.5807 and higher on Android devices.