Improve Azure Authenticator App to require password or touch id validation before approving push request.
Currently, if you receive a push notification to the Azure Authenticator app while the phone is locked, merely swiping the notification and selecting View allows access to approve (or deny) the request. Other authenticator apps (Google, Lastpass, etc.) require the device password or touch id (on iOS) before the request can be approved. This is a security flaw and needs to be fixed.
Currently Authentiator App is a single auth factor (something you have). The app can be used on mobiles with no device lock. Please enable us to require an additional factor (PIN/biometric) to access validation checks for our tenant if the device has no lock configured. Something like Intune MAM policy that requires app level auth if there's no device lock.
Arun Aboorvam commented
Please provide the app lock as enforcement for the required customers either via Intune or some other way. It is a must from security stand point.
It should at least be an option, if not the default. If someone managed to take my laptop, they would probably have access to my phone as well.
Adem Ozdemir commented
How is this not a thing yet? The Authenticator app needs to change that's all. Just a notification without approvalfunction. You should be able to push this through your organizations settings. If your organization doesn't accept a pop up above the lockscreen than you shouldn't get the notification on your screen. If you unlock your phone you can see it in your authenticator app.
We have to promote this suggestion more.
Reto Schelbert commented
This should be added as many other MFA Push Notifications methods and apps do the same (take duo auth, google, formerly vasco etc.)
As out-of-band-authentication (OOB) is a good reliable source of strong authentication (rather then OTP's to enter in the same auth mask/process), it should at least enforce the user to be physically present to his receiver/device, which means either enter a PIN he knows or present something he has like fingerprint.
Yes - companies have a problem by trusting their users to secure a private mobile phone enough and to not "lay" them around unlocked. The Authenticator app should enforce the use of mobile OS screen locks and additionally, e.g. via the registration in azuremfa, regard additional information if the company policy should enforce additional auth mechanism to Accept or Reject a push notification.
Douglas Boyd commented
I'm surprised there aren't more comments on this feature. Large organisations especially will expect this capability, as it is default on competitor products; eg Okta, google.
I agree that this would improve the overall security posture of Microsoft MFA. Various 3rd party MFA solutions do require that you unlock the device in order to approve a notification. A scenario would be an employee walks away from their computer, doesn't lock the OS and they also leave their phone on their desk. Someone could walk up to an app that does Single Sign On but it also requires MFA, the unauthorized user is then able to access the MFA protected app without proving that they are authorized to use the mobile device.
Matt Sauer commented
Please correct or allow us to control this setting globally. We cannot most of the azure mfa modes as there is either no pin plus or that it allows you to approve without unlocking the phone.