Authentication methods in Microsoft Entra ID - Microsoft Authenticator app

The Microsoft Authenticator app provides an additional level of security to your Microsoft Entra work or school account or your Microsoft account and is available for Android and iOS. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or multifactor authentication events.

Users may receive a notification through the mobile app for them to approve or deny, or use the Authenticator app to generate an OATH verification code that can be entered in a sign-in interface. If you enable both a notification and verification code, users who register the Authenticator app can use either method to verify their identity.

Note

In preparation of passkey support in Microsoft Authenticator, users may see Authenticator as a passkey provider on iOS and Android devices. Passkeys aren't currently supported in Authenticator, but they will be supported in an upcoming release.

To use the Authenticator app at a sign-in prompt rather than a username and password combination, see Enable passwordless sign-in with the Microsoft Authenticator.

Note

  • Users don't have the option to register their mobile app when they enable SSPR. Instead, users can register their mobile app at https://aka.ms/mfasetup or as part of the combined security info registration at https://aka.ms/setupsecurityinfo.
  • The Authenticator app may not be supported on beta versions of iOS and Android. In addition, starting October 20th, 2023 the Authenticator app on Android no longer supports older verisons of the Android Company Portal. Android users with Company Portal versions below 2111 (5.0.5333.0) can't re-register or register new instances of Authenticator until they update their Company Portal application to a newer version.

Passwordless sign-in

Instead of seeing a prompt for a password after entering a username, a user that has enabled phone sign-in from the Authenticator app sees a message to enter a number in their app. When the correct number is selected, the sign-in process is complete.

Example of a browser sign-in asking for user to approve the sign-in.

This authentication method provides a high level of security, and removes the need for the user to provide a password at sign-in.

To get started with passwordless sign-in, see Enable passwordless sign-in with the Microsoft Authenticator.

Notification through mobile app

The Authenticator app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the notification, and if it's legitimate, select Verify. Otherwise, they can select Deny.

Note

Starting in August, 2023, anomalous sign-ins don't generate notifications, similarly to how sign-ins from unfamiliar locations don't generate notifications. To approve an anomalous sign-in, users can open Microsoft Authenticator, or Authenticator Lite in a relevant companion app like Outlook. Then they can either pull down to refresh or tap Refresh, and approve the request.

Screenshot of example web browser prompt for Authenticator app notification to complete sign-in process.

In China, the Notification through mobile app method on Android devices doesn't work because as Google play services (including push notifications) are blocked in the region. However, iOS notifications do work. For Android devices, alternate authentication methods should be made available for those users.

Verification code from mobile app

The Authenticator app can be used as a software token to generate an OATH verification code. After entering your username and password, you enter the code provided by the Authenticator app into the sign-in interface. The verification code provides a second form of authentication.

Note

OATH verification codes generated by Authenticator aren't supported for certificate-based authentication.

Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Authenticator app, configured for use at any time.

FIPS 140 compliant for Microsoft Entra authentication

Consistent with the guidelines outlined in NIST SP 800-63B, authenticators used by US government agencies are required to use FIPS 140 validated cryptography. This helps US government agencies meet the requirements of Executive Order (EO) 14028. Additionally, this helps other regulated industries such as healthcare organizations working with Electronic Prescriptions for Controlled Substances (EPCS) meet their regulatory requirements.

FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP).

Microsoft Authenticator for iOS

Beginning with version 6.6.8, Microsoft Authenticator for iOS uses the native Apple CoreCrypto module for FIPS validated cryptography on Apple iOS FIPS 140 compliant devices. All Microsoft Entra authentications using phishing-resistant device-bound passkeys, push multifactor authentications (MFA), passwordless phone sign-in (PSI), and time-based one-time passcodes (TOTP) use the FIPS cryptography.

For more information about the FIPS 140 validated cryptographic modules being used and compliant iOS devices, see Apple iOS security certifications.

Note

In new updates from the previous version of this article: Microsoft Authenticator is not yet FIPS 140 compliant on Android. Microsoft Authenticator on Android is currently pending FIPS compliance certification to support our customers that may require FIPS validated cryptography.

Determining Microsoft Authenticator registration type in My Security-Info

Managining and adding additional Microsoft Authenticator registrations can be performed by users by accessing MySecurityInfo (see the URLs in the next section) or by selecting Security info from MyAccount. Specific icons are used to differentiate whether the Microsoft Authenticator registration is passwordless phone sign-in or MFA.

Authenticator registration type Icon
Microsoft Authenticator: Passwordless phone sign-in Microsoft Authenticator passwordless sign-in Capable
Microsoft Authenticator: (Notification/Code) Microsoft Authenticator MFA Capable
Cloud MySecurityInfo URL
Azure commercial (includes GCC) https://aka.ms/MySecurityInfo
Azure for US Government (includes GCC High and DoD) https://aka.ms/MySecurityInfo-us

Next steps