Authentication methods in Azure Active Directory - Microsoft Authenticator app

The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android and iOS. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or multifactor authentication events.

Users may receive a notification through the mobile app for them to approve or deny, or use the Authenticator app to generate an OATH verification code that can be entered in a sign-in interface. If you enable both a notification and verification code, users who register the Authenticator app can use either method to verify their identity.

To use the Authenticator app at a sign-in prompt rather than a username and password combination, see Enable passwordless sign-in with the Microsoft Authenticator.

[!NOTE] Users don't have the option to register their mobile app when they enable SSPR. Instead, users can register their mobile app at https://aka.ms/mfasetup or as part of the combined security info registration at https://aka.ms/setupsecurityinfo.

Passwordless sign-in

Instead of seeing a prompt for a password after entering a username, a user that has enabled phone sign-in from the Authenticator app sees a message to enter a number in their app. When the correct number is selected, the sign-in process is complete.

This authentication method provides a high level of security, and removes the need for the user to provide a password at sign-in.

To get started with passwordless sign-in, see Enable passwordless sign-in with the Microsoft Authenticator.

Notification through mobile app

The Authenticator app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the notification, and if it's legitimate, select Verify. Otherwise, they can select Deny.

[!NOTE] If your organization has staff working in or traveling to China, the Notification through mobile app method on Android devices doesn't work in that country/region as Google play services(including push notifications) are blocked in the region. However iOS notification do work. For Android devices ,alternate authentication methods should be made available for those users.

Verification code from mobile app

The Authenticator app can be used as a software token to generate an OATH verification code. After entering your username and password, you enter the code provided by the Authenticator app into the sign-in interface. The verification code provides a second form of authentication.

Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Authenticator app, configured for use at any time.

[!WARNING] To ensure the highest level of security for self-service password reset when only one method is required for reset, a verification code is the only option available to users.

When two methods are required, users can reset using either a notification or verification code in addition to any other enabled methods.

FIPS 140 compliant for Azure AD authentication

Beginning with version 6.6.8, Microsoft Authenticator for iOS is compliant with Federal Information Processing Standard (FIPS) 140 for all Azure AD authentications using push multi-factor authentications (MFA), passwordless Phone Sign-In (PSI), and time-based one-time passcodes (TOTP).  

Consistent with the guidelines outlined in NIST SP 800-63B, authenticators are required to use FIPS 140 validated cryptography. This helps federal agencies meet the requirements of Executive Order (EO) 14028 and healthcare organizations working with Electronic Prescriptions for Controlled Substances (EPCS). 

FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP).

No changes in configurations are required in Microsoft Authenticator or the Azure portal to enable FIPS 140 compliance. Beginning with Microsoft Authenticator for iOS version 6.6.8, Azure AD authentications will be FIPS 140 compliant by default.

Authenticator leverages the native Apple cryptography to achieve FIPS 140, Security Level 1 compliance on Apple iOS devices beginning with Microsoft Authenticator version 6.6.8. For more information about the certifications being used, see the Apple CoreCrypto module. 

FIPS 140 compliance for Microsoft Authenticator on Android is in progress and will follow soon.

Determining Microsoft Authenticator registration type in My Security-Info

Managining and adding additional Microsoft Authenticator registrations can be performed by users by accessing https://aka.ms/mysecurityinfo or by selecting Security info from from My Account. Specific icons are used to differentiate whether the Microsoft Authenticator registration is capable of passwordless phone sign-in or MFA.

Authenticator registration type	Icon
Microsoft Authenticator: Passwordless phone sign-in
Microsoft Authenticator: MFA capable

Next steps

• To get started with passwordless sign-in, see Enable passwordless sign-in with the Microsoft Authenticator.

• Learn more about configuring authentication methods using the Microsoft Graph REST API.