none
You shouldn't be able to approve requests without unlocking phone RRS feed

  • Question

  • I disagree with this, you should have to unlock the device to approve the push request. This is how is works with Duo Security and we won't change to Azure MFA until this is required.

    Why does the Microsoft Authenticator App allow you to approve a request without unlocking the device?

    This is by design.

    https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-faq
    Sunday, February 5, 2017 5:46 AM

All replies

  • Hi TrentQueen

    Yes, this is by design. You know, if you want to login your account, you need two things – 1. Your account password, 2. Your phone.  Even you lost your phone, other people could get Microsoft Authenticator App code, but if they don’t have your account’s password, they could not login your account. Therefore, having the phone and approving the request meets the criteria for the second factor of authentication.

    Also, thanks for your feedback.  You could give feedback to this link.

    If you still have questions, welcome to post back here. Thanks.

    Regards,

    Walter


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by ShuiShengbao Tuesday, February 7, 2017 5:13 AM
    • Proposed as answer by ShuiShengbao Wednesday, February 8, 2017 1:56 AM
    Monday, February 6, 2017 4:30 AM
  • As of today, Sept 28th 2017, with Authenticator 6.2.1 on Android, the Authenticator would do the following upon receving a login request:

    1. Allows approval action to be carried out the request without unlocking the phone.  And,

    2. Unlocks the phone automatically without requiring the user to authenticate through the configured factors on the phone.

    Number 2 is a major flaw in the design of the Authenticator as it compromises the authentication factor / posture configured on the phone, whatever that factor might be.

    This exposes the data on the phone by knowing a factor/password that isn't part of the phone's authentication factor.  i.e. Me knowing a password to Hotmail shouldn't bypass the the PIN factor configured on the phone which compromises the phone's data.

    There doesn't seem to be a configurable option in the Authenticator to change this behaviour.

    Friday, September 29, 2017 5:35 AM