Tag: Microsoft Authenticator

Posted on

Why Microsoft Is Phasing Out Passwords for good.

TL;DR

Microsoft is removing password support from its Authenticator app this summer. As of June, you haven’t been able to add new passwords; in July autofill stops working; and by August all saved passwords will be deleted. The replacement?

FIDO-based passkeys that are stored encrypted on your device and use biometrics / PIN for phishing-proof sign-ins.

The Password Problem

Passwords have been the backbone of online security for decades and the way we into most our work and online services like shopping sites, email, Snapchat etc.. You name it.

But.. They are a huge weak link and the primary way people and companies get hacked and online identities stolen!

  • Microsoft report they see password account attacks in the realm of  7,000 attempts per second against Microsoft consumer accounts alone.
  • People reuse weak or memorable passwords across dozens of sites because they are hard to remember
  • Password managers whilst helpful, provide a single attack space for hackers.
  • Phishing, brute-force and database leaks make passwords a persistent liability and AI in increasing the number of attacks.

Microsoft’s stats show password success rates (getting a log in correct with your password) of 32%, compared with 98% for passkeys—proof that passwords aren’t just less secure, they’re also more error-prone and easier to use once set up.

What Are Passkeys?

Passkeys are an evolution of authentication built on FIDO (Fast Identity Online) standards. Here’s what makes them different:

  • Stored only on your device protected by your Pin and Biometrics and never on a central server. 
  • Rely on biometrics (Face ID, fingerprint) or a local PIN. 
  • Immune to phishing and replay attacks because there’s no password to steal. 
  • Seamless: once set up, you tap or scan to log in anywhere passkeys are supported.
  • Easier to use since you don’t have to remember complex passwords.

Microsoft Authenticator Timeline

To ease the transition away from storing passwords and moving to passkeys, Microsoft has shared the process which started last month.

  • June 2025: Microsoft disabled ability to add new passwords to Authenticator.      
  • July 2025: Password autofill in Authenticator is disabled.            
  • August 2025: All passwords saved in Authenticator are permanently deleted (export before then).

Keeping/Exporting  your passwords.

If you want to export your passwords stored in Authenticator you can. These can then be imported into other password managers. To do this:

  • Open Authenticator
  • Goto Passwords, then Export.
  • Save the CSV file securely or import it into another password manager.
  • If you still rely on passwords, migrate them to Microsoft Edge’s built-in vault or a third-party manager like 1Password.

Start creating Passkeys.

  • Still in the Authenticator app or via your Microsoft account’s security settings, select Passkeys > Add new passkey.  
  • Follow the prompts to register with Face ID, fingerprint or PIN.

Update your accounts to use Passkeys

  • This is unfortunately a bit laborious, since you will need to visit each website or service that offers passkey login and link your new passkey.

Why go Passwordless.

There’s a heap of reasons once you’ve got past the process of creating Passkeys.

  • Stronger Security: No password to steal means it’s virtually impossible to phish or brute-force your credentials. 
  • Better Usability: Unlock with a quick biometric scan or PIN—no more juggling complex passwords. 
  • Future-Proof: Passkeys and the move to passwordless is backed by all major identity provider platforms (Microsoft, Cisco, Apple, Google, Amazon) and over 15 billion accounts already support them.
  • The industry is moving to passwordless: all the tech giants are moving this was to finally try to rid the world of passwords. Apple, Google and Amazon have also committed to a passwordless future. Whether it’s signing into an app, online banking or shopping, passkeys are becoming the universal standard.

Today, the use of passkeys is growing but with the tech giants behind the Phasing out of passwords they will soon be the way we sign into all. Out online services.

Posted on

Microsoft Authenticator now protects against “MFA Bombing” .

The Microsoft Authenticator is getting a backend upgrade in which it now be able suppresses risky sign notifications in an attempt to mitigate against “MFA fatigue” caused by this new attack tactic called MFA bombing. As a big internal advocate of passwordless within my own organisation this is great news…

What is MFA Bombing

“MFA Bombing”, is an attack method in which attackers continually try to logon from unfamiliar locations causing an influx of MFA prompts aimed to truck the user to click accept and allow the sign in since they get sick of dismissing notifications. This is known as MFA bombing attacks.

Microsoft say that this new policy should address the root cause of this growing security breach method.

How Microsoft Authenticator protects against MFA Bombing

In response to this, Microsoft’s Authenticator app will now automatically suppress notifications that come from “risky signins” based on number matching, a MFA method that requires users to verify their identity by entering a numerical code displayed on the screen.

This is aimed to protect users that use the “approve only method” but acts on any method used. Microsoft will now suppress Authenticator notifications when a request is deemed to pose potential risks, such as when the request originates from an unfamiliar location or is exhibiting other anomalies such as repetitive requests (or bombing).

We now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies. This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts.

Microsoft.

With this feature, and in the event of a login request that looks risky, the standard notification will not be sent to the users device via the authenticator app. Instead, the user (or attacker) will receive a notification on screen (where they are trying to logon) and be told to “Open your Authenticator app and enter the number shown to sign in,”.

When the user opens the Authenticator App, the request will be available for the user and they can sign in…..

Since no notification will be shown on the users mobile authenticator app, if the request was not made by the user, no notification will be displayed so the request will time out.

This significantly reduces user inconvenience by eliminating irrelevant and known risky authentication prompts.

Microsoft recommend “number matching”

Whilst these additional protections are great, it’s recommended that organisations look to implement number matching (if not enabled by default) to enhances the security of the sign-in process by requiring users to enter a sequence of numbers that are displayed on the sign-in screen when approving an MFA request in the Authenticator app. This has a number of immediate benefits over simple approve/deny options including:

  • It prevents accidental approvals by making sure that you are aware of the sign-in request and have access to the sign-in screen.
  • It defends against MFA fatigue attacks, which are spamming attempts to trick people into approving access requests by sending you multiple notifications.
  • It provides an additional layer of security by verifying that the device or app that generates the numbers is the same as the one that receives the approval request.

The implementation of number matching, is a grest way forward and has been extremely successfully in preventing attackers that engaging in MFA fatigue / bombing attacks.

Combined with the new suppression technology for known attacks , Microsoft say that this change has already prevented more than 6 million MFA notifications since September 2023.

Number matching in MFA is available for the Microsoft Authenticator app and can be enabled by IT admins for different scenarios, such as multifactor authentication, self-service password reset, combined registration, AD FS adapter, and NPS extension.

Proudly powered by WordPress