Microsoft Introduces FIDO2 and Passkey Upgrades to Authenticator

The latest Microsoft Authenticator update brings enhanced passkey registration, FIDO2 authentication for Android apps, and compliance with federal security standards.

Microsoft has rolled out new features to its Authenticator app, including streamlined passkey support and FIDO2 authentication for Android apps. The changes aim to provide more secure and user-friendly login options while cutting down on phishing attempts and unauthorized access. These new tools are now available for both enterprise and individual users who rely on Microsoft’s multi-factor authentication (MFA) system.

The update builds on earlier improvements that blocked hacker-initiated notifications, making it harder for attackers to exploit MFA.

Passkey Support Revamped for Smoother Onboarding

The process of registering device-bound passkeys in the Microsoft Authenticator app has been streamlined after feedback from an earlier preview, which some users found confusing. Previously, users had to jump through multiple hoops and often missed critical steps, like enabling Bluetooth, when setting up passkeys. Now, Microsoft simplified the process by having users log in directly through the app, reducing friction and making the setup faster and less error-prone.

Security has also been bolstered through attestation, a feature that checks the authenticity of the Authenticator app installed on a device using Android and iOS APIs. This measure helps prevent attackers from using tampered or unofficial versions of the app to trick users during passkey setup.

FIDO2 Authentication Expands to Android

FIDO2 support is another crucial part of the latest update, specifically for users of Microsoft’s brokered apps on Android 14 and up. Now, users can sign into apps like Microsoft Teams and Outlook using either a FIDO2 security key or a passkey stored in the Authenticator app. This feature significantly cuts down the need for passwords, which remain a weak point in digital security. For users still on Android 13, Microsoft plans to roll out similar support in the coming months.

This enhancement makes it easier for organizations to adopt more secure, passwordless logins, especially as FIDO2 becomes a more widely accepted standard across apps and platforms.

Earlier Security Enhancements

This update comes less than a year after a significant update in November 2023 that made the Authenticator app smarter at recognizing and blocking fraudulent multi-factor authentication (MFA) requests. Back then, Microsoft introduced a system that suppressed MFA notifications deemed suspicious—like those originating from unknown locations—without bombarding users with alerts. The result? Over six million hacker-initiated notifications have been blocked, keeping users safer from phishing and brute-force attacks.

Instead of pushing alerts to a user’s device, which can lead to accidental approvals of fraudulent requests, the app now only shows notifications when the user opens it manually. This change has dramatically reduced the number of unintentional security breaches.

FIPS 140 Compliance for Android Now Active

Microsoft has also achieved Federal Information Processing Standard (FIPS) 140 compliance for its Android Authenticator app. This certification, which ensures that cryptographic modules meet federal security standards, has been a key requirement for government agencies and organizations handling sensitive information. The iOS version of the app has been compliant since late 2022, but now Android users running version 6.2408.5807 or later can benefit from this as well, without any additional steps required by IT admins.

With FIPS 140 compliance, Microsoft continues to position its Authenticator app as a trusted tool for sectors like healthcare and federal agencies that need to meet strict regulatory standards. Organizations using the app can now better ensure their systems comply with legal requirements, particularly following the U.S. Executive Order on national cybersecurity.

MFA and Passkey Security: A Growing Need

As phishing and brute-force attacks become increasingly sophisticated, tools like multi-factor authentication are more critical than ever. MFA requires multiple layers of verification, usually combining something you know (like a password) with something you have (such as a device) or something you are (biometric data), to protect accounts from unauthorized access.

Last Updated on November 7, 2024 2:23 pm CET

SourceMicrosoft
Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x