Microsoft users can ditch password-based logins for phone sign-in 2FA
Microsoft added a new feature to its authenticator app, allowing users to sign into their Microsoft account without having to enter their password.
“With phone sign-in, we’re shifting the security burden from your memory to your device. Just add your account to the Android or iOS Microsoft Authenticator app, then enter your username as usual when signing in somewhere new,” Alex Simons, Director of Program Management at the Microsoft Identity Division, explained.
“Instead of entering your password, you’ll get a notification on your phone. Unlock your phone, tap ‘Approve’, and you’re in.”
The feature is easy to set up: users can enable the feature from the dropdown menu on their already set up account in Microsoft Authenticator. It can also be easily switched off if, at any point in time, they want to revert back to using their password.
Current limitations of the phone sign-in feature
For the moment, it is offered only to Android and iOS users of the Microsoft Authenticator app, and will be possibly added to the Windows 10 Mobile app if it becomes a success.
Also, phone sign-in currently only works for Microsoft Accounts, a single sign-on web service that that allows users to log into Microsoft websites, applications and their devices simply by logging into that one account.
Simons says that this new feature can be counted as two factor authentication: the mobile device is the first, and the PIN or fingerprint is the second factor. He also noted that this option is easier than standard two-step verification.
Should you try it?
“The new functionality in the Authenticator app to use biometrics (in the form of fingerprints from Apple’s Touch ID), one time codes, and even approvals for a notification from the app (on unlocked phones only, naturally) is a significant improvement over password-only authentication,” Tadd Axon, Microsoft Services Practice Lead at Softchoice, commented for Help Net Security.
“I view this as a big win for the average user: less reliance on just passwords to protect their identity, an easier sign-on experience, and it makes it measurably more difficult for a bad actor to compromise an account – even if they have the password.”
“Passwords will still be with us for a long time to come; multi-factor capabilities like this reduce their use, limit their exposure, and provide extra levels of assurance against compromise,” he added, and urged users to give the feature a try.