Improve Azure Authenticator App to require password or touch id validation before approving push request.
Currently, if you receive a push notification to the Azure Authenticator app while the phone is locked, merely swiping the notification and selecting View allows access to approve (or deny) the request. Other authenticator apps (Google, Lastpass, etc.) require the device password or touch id (on iOS) before the request can be approved. This is a security flaw and needs to be fixed.
Reto Schelbert commented
This should be added as many other MFA Push Notifications methods and apps do the same (take duo auth, google, formerly vasco etc.)
As out-of-band-authentication (OOB) is a good reliable source of strong authentication (rather then OTP's to enter in the same auth mask/process), it should at least enforce the user to be physically present to his receiver/device, which means either enter a PIN he knows or present something he has like fingerprint.
Yes - companies have a problem by trusting their users to secure a private mobile phone enough and to not "lay" them around unlocked. The Authenticator app should enforce the use of mobile OS screen locks and additionally, e.g. via the registration in azuremfa, regard additional information if the company policy should enforce additional auth mechanism to Accept or Reject a push notification.
Douglas Boyd commented
I'm surprised there aren't more comments on this feature. Large organisations especially will expect this capability, as it is default on competitor products; eg Okta, google.
I agree that this would improve the overall security posture of Microsoft MFA. Various 3rd party MFA solutions do require that you unlock the device in order to approve a notification. A scenario would be an employee walks away from their computer, doesn't lock the OS and they also leave their phone on their desk. Someone could walk up to an app that does Single Sign On but it also requires MFA, the unauthorized user is then able to access the MFA protected app without proving that they are authorized to use the mobile device.
Matt Sauer commented
Please correct or allow us to control this setting globally. We cannot most of the azure mfa modes as there is either no pin plus or that it allows you to approve without unlocking the phone.