For iOS devices, they are stored in iCloud and tied to the user’s Apple account.Īfter the backup has been successfully created, the user can restore their Microsoft Authenticator accounts on a new device. For Android devices, they are stored in Microsoft’s cloud storage provider and tied to the user’s personal Microsoft account. The JWE and the Key ID are then uploaded to the appropriate cloud storage:. The data above is also hashed with SHA-512 to protect against theft and tampering and this hash is added to the JWE. For OATH TOTP accounts (including personal Microsoft account and third party), the JWE also includes the shared secret used in TOTP. 
For all accounts, the Authenticator encrypts relevant metadata about the account such as:. The Authenticator uses the key to create an encrypted JSON Web Encryption blob (JWE) using AES-256 The information contained varies based on what accounts the Authenticator’s owner has configured. The app receives this key and a retrieval id (Key ID) from the key service. The Authenticator app uses a strong authentication token to request a 256-bit key from an internal Microsoft account key service. The user starts the backup process by clicking on the menu, going to settings, and enabling backup. To restore Microsoft Authenticator accounts on a new device, the user must first back up their current device. The private key never leaves the device when a user is using the backup or restore features of their Authenticator app or when using the operating system app restore features. 
the Keychain on iOS and Keystore on Android) and exports the public key to Microsoft’s login server. The Microsoft Authenticator supports a variety of authentication mechanisms to support Microsoft consumer, work and school accounts in different modes, as well as any account which supports the OATH TOTP standard.įor accounts using the OATH TOTP standard, there is a shared secret stored both in the Authenticator app and in the identity provider.įor accounts using other mechanisms, the Authenticator creates a public/private keypair in a hardware backed storage (e.g. Overview of how the Microsoft Authenticator works
In the descriptions below, a “strong authentication token” means the user has authenticated using multi factor authentication - for example, they used a password and then entered a code sent to their phone or email or signed in with Windows Hello or a FIDO token, depending on the factors they have previously enabled. Some folks have asked how we secure this process – in this blog, we’ll deep dive into how it works. Hello! With the dust settling from Ignite 2019, let’s dive in with “how stuff works” – focusing on the Microsoft Authenticator’s backup and restore feature.Įarlier this year we released the Microsoft Authenticator backup and restore feature on iOS and Android, which lets you easily move your accounts on the Authenticator app to a new device.
0 kommentar(er)
