Approving notifications above lock screen RRS feed

  • General discussion

  • Hi Folks, 

    We've gotten some feedback and questions around why we allow approval of sign-in verifications above the lock screen of a phone. 

    Multi-factor authentication should bring into the equation two of the following three things: 

    * A thing you know (most often, a password)

    * A thing you have 

    * A thing you are (biometrics)

    For the vast majority of customers using the Microsoft Authenticator, the first step of the sign-in/authentication flow is entering a password, the thing you know. The Microsoft Authenticator app, having already been registered to your account, is the thing you have, and approval of a notification is the use of that "thing you have" to complete the flow. 

    I hope this helps alleviate any concerns, please feel free to provide constructive feedback below. 


    Friday, March 9, 2018 6:10 PM

All replies

  • Hi Libby, You know what this doesn’t help, as a company trying to sell services to enterprises it is completely unacceptable that you allow the approval from the lock screen without confirmation that the user is the owner of the device. Mobile phone manufacturers have made it so simple for you, but yet again Microsoft think it knows best! You can try and justify this in whatever way you like, but frankly the arrogance shown on this particular subject is unbelievable! You are not listening to your customers, you posting this in the first place is just evidence of that, every other post on this forum is a customer telling you they DO NOT want approval from the lock screen until the user has authenticated via passcode, Touch ID, Face ID etc! None of your competitors allow approval without the user being authenticated first but again Microsoft know best. The reason it is brought up so often isn’t just because the feature is lacking it’s because you keep refusing to listen and every new customer or member of this forum thinks they’ll be the one to influence you to make the change. It’s a sad state of affairs that you have a forum where customers can provide feedback but you blatantly ignore and dismiss what your customers want. What’s the point? From a security perspective (kind of the entire point of MFA) surely more layers of security is better no? The product is called multi-factor authenticator, yet there it’s ok to dismiss an entire security layer that’s built into a device?! It’s stupid and not what your customers want! I just hope that maybe you’ll start to listen to us, if not we won’t be customers for much longer.
    Saturday, March 10, 2018 12:05 PM
  • Allynl93, 100% agree.   As a large Corporate that has just completed the Azure MFA POP, we have strong push back from IT Security to allow MFA approval from a locked phone. The whole process to unlock phones these days is frictionless - Touch or Face auth for all new phones, 6 digital PIN for older units. It is not a hurdle for our users to complain about.

    If it was a team members own Bank using a MFA service that allows Approval Auth  from unlocked phones, they would be screaming!  We (thus MS) should be treating Corporate data needing MFA in the same manner.  At least allow a setting for us to decide - Allow Approbe on Locked Phone: Yes/No.

    • Edited by ShaneJ07 Tuesday, March 27, 2018 2:19 AM
    Wednesday, March 14, 2018 6:24 AM