none
Push approved above the lock screen RRS feed

  • General discussion

  • I have been informed this change was by design but our security team has once again rejected the Microsoft Authenticator app as you can approve the push notification above the lock screen. Previously you had to unlock the device to be able to approve the 2FA request. We will continue to use Duo Security until this is changed back to the way it was.
    Monday, July 3, 2017 7:28 AM

All replies

  • Hi TrentQueen,

    Microsoft Authenticator App provide two-step verification.

    There are two scenarios:

    If we login Azure account on azure portal, portal require a password, in this scenario we can approve the push notification above the lock screen.

    If we login Microsoft Account without password, we should unlock the screen then approve it.

    All those are by design behavior, two step verification means password and approve notification, or the password of device and approve the notification.

    Best regards,

    Jason


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 5, 2017 9:30 AM
  • I understand it is now by design, although it used to require unlock previously.

    Just providing feedback that it will never be allowed at our company until you at least give us the option to require phone unlock to approve the push - Intune app configuration policy *hint* *hint*.

    Monday, July 10, 2017 8:24 AM
  • Hi TrentQueen,

    Thank you for your feedback.

    You could give your feedback to this link, all of the feedback you share in this link will be monitored and reviewed by the Microsoft engineering teams.

    https://social.technet.microsoft.com/Forums/en-US/c0c10232-3093-4cf9-9ecc-c131c7643eaa/give-us-your-feedback?forum=MicrosoftAuthenticatorApp

    If you have any questions about Microsoft Authenticator APP, welcome to post back here.

    Best regards,

    Jason


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 10, 2017 10:30 AM
  • As of today, Sept 28th 2017, with Authenticator 6.2.1 on Android, the Authenticator would do the following upon receving a login request:

    1. Allows approval action to be carried out the request without unlocking the phone.  And,

    2. Unlocks the phone automatically without requiring the user to authenticate through the configured factors on the phone.

    Number 2 is a major flaw in the design of the Authenticator as it compromises the authentication factor / posture configured on the phone, whatever that factor might be.

    This exposes the data on the phone by knowing a factor/password that isn't part of the phone's authentication factor.  i.e. Me knowing a password to Hotmail shouldn't bypass the the PIN factor configured on the phone which compromises the phone's data.

    There doesn't seem to be a configurable option in the Authenticator to change this behaviour.

    Friday, September 29, 2017 5:39 AM