New Microsoft Authenticator features for organizations
Microsoft announced four new features for the company's Microsoft Authenticator application for organizations. The new security features improve Microsoft Authenticator's capabilities in several meaningful ways.
Two feature additions improve the sign-in experience. The first, Additional context in Microsoft Authenticator approval requests, adds more information to the confirmation prompt. The feature uses the device's IP address to display location based information and a map. It will also display the application that is requesting access.
Administrators need to enable push notifications for some users or groups using the new Authentication Methods Policy API.
Administrators may combine the new security feature with number matching, yet another new feature that is available in public preview. Number matching requires users to enter a number in the Microsoft Authenticator application that is displayed on the sign-in screen.
Number matching can be enabled individually, or in combination with the extended context feature.
The third feature addition adds options to restrict access to "the boundaries of a specific country by using the GPS signal from the Microsoft Authenticator". Countries can be blocked using the device's IP address or GPS coordinates, which the Microsoft Authenticator application provides. Authentication is denied automatically if the phone is rooted or jailbroken.
The fourth and final new feature may be used to encourage users to enable two-factor authentication and the use of Microsoft Authenticator.
The third and fourth feature is already available.
Administrators may check out the following support pages for additional details:
- How to use number matching in multifactor authentication (MFA) notifications (Preview) - Authentication Methods Policy
- How to use additional context in multifactor authentication (MFA) notifications (Preview) - Authentication Methods Policy
- Using the location condition in a Conditional Access policy
Closing Words
Three of the four new security features would make good additions to Home editions of Microsoft's Authenticator application. It would probably not be difficult to add extra context to the confirmation prompts, enable the number matching experience, or country blocking.
Now You: do you use an authenticator application or 2-factor authentication?
The number matching experience has already been implemented for Microsoft accounts with password-less feature enabled. Just wish they could somehow make other third party accounts push a prompt rather than having to manually enter the number
Do I understand it correctly that Microsoft Authenticator is not a cryptographic authenticator?
And if this M.s. Authenticator is crytomatic does the M.s authenticator use a symmetric-key cryptography or does the M.S. authenticator uses a public-key cryptography?
I ask this because that I know that both avoid memorized secrets, but I prefer a public-key cryptography, because there are no shared secrets as well, which is I think an important distinction.
I asking this because I cant find the answers on these on main questions on the Microsoft website?
“The feature uses the device’s IP address to display location based information and a map”
As long as they don’t use authentication security as an excuse to store on their servers the location users connect from, like Mozilla…
“Authentication is denied automatically if the phone is rooted or jailbroken.”
Wait until this becomes no longer optional. “For your security”.
“Something went wrong.”