I have MS Authenticator on my phone, necessitated by a website that doesn’t seem to offer any other options for 2FA. I’ve been using it for more than a year and still have not quite figured out the smoothest way to use it. Typically I will log in with my email address and password, and then open the Authenticator app for the code. The one showing when I open the app never works so I learned to wait for a new code to appear. But even in that case more than half the time THAT code does not work and I have to wait 30 seconds for another one to appear.
Grrrr… Am I doing something wrong? Should I open the app before I log in? What’s the RIGHT way to be doing this?
I use both the Google and MS authenticators (also because i had something that required the MS one, after I’d set up everything else with Google). I use the Google one a lot more, but opening them up, they seem to work similarly. The MS one has a more complicated interface, and may offer a variety of options, but i use it like the Google one. They both give you 30 seconds.
The app shows a graphic that tells me how long the code will be valid. You need to type it in, and have it sent to the other end, all before it changes. If you have a really crappy connection, and it takes a long time between your typing it in and the other end getting it, you might have trouble. That said, I’ve never had trouble with these. If there’s less than 20 seconds left, i wait for a new one. Then i type the numbers into the box and quickly hit “enter”. And then my thing works.
Thank you both. I just tried having the app open before logging in and that seemed to work! It seems counterintuitive to me to do it in that order (and half the time I forget I need my phone and it’s in the other room, etc.) but if that’s the ticket I will try to do it henceforth. Appreciate the feedback!
The MS Authenticator will only prompt you when logging into a Microsoft account or an account using Microsoft as the identity provider. For other accounts, you can still use it for one-time codes.
MS Authenticator supports a few different modes, and sites have the ability to decide which ones it supports. My company use to support the mode where all you do is approve the incoming request. But after a security breach, they switched to one where the prompt shows a map and you have to type in a 2-digit code.
The problem with the standard approval is that some people would just mindlessly approve all incoming requests, even if they didn’t initiate them. The code means the initiator and the approver have to be the same person (or in contact). Being only two digits, it’s not intended to be heavy security in and of itself. But people are unlikely to mindlesssly enter a random code, and if they did, it would only have a 1% chance of working.
Oh, and you also have to re-enter any general phone security (a fingerprint on my phone, but it probably works with a pattern or PIN code also).
I haven’t used MS authenticator, but I’m familiar with the tech. The app and the website should both be synced with network time servers that are synced with each other and will generate new codes at the same time.
I only use this kind of thing for work, for access to client networks, where I guess this must always be the case, then.
Other TFAs we use for the same type of access seem to use the one-time code thing only, like Symantec’s VIP. But I can’t recall the last time I had to use one with MS.
Good to know; thanks. Wasn’t sure how much of the change was MS policy vs. corporate policy. The number matching is less convenient, but the old system was clearly not secure.
Or the approval step just became so repetitive that they did it automatically (like those stupid cookie prompts on websites, which people click through while barely perceiving them, let alone reading).
Presumably, MS Authenticator has some sort of rate limiting so as not to be too annoying. Some geofencing would probably also be helpful.
It does, and depending on what level of Azure Active Directory you paying for you can use Conditional Access which is quite flexible. I can allow you to connect to Teams from a single IP address on a domain joined laptop but use Outlook on your mobile phone from Canada and the US only.