Microsoft Azure MFA now supports multiple Authenticator apps

I recently purchased a new phone and decided to set it up from scratch, rather than restore a backup from my old phone. This was very quick and easy for me, given that I don’t have too many apps.

The most time-consuming task was moving my Microsoft and Google Authenticator apps because these required me to log into various online systems and re-enrol my authentication device. Thankfully, the Authenticator apps were still active on my old device, so there were no issues.

What’s changed?

During this process I did notice that Microsoft Azure MFA, which is used for Office 365, now allows users to set up the Authenticator app on multiple devices. This is something that users have been requesting for a long time, but was unavailable until recently. In fact, I still can’t find any official announcement by Microsoft of this change.

What are the pros and cons?

Two-factor Authentication systems were created to confirm the identity of a user based on their login credentials and another form of identification, such as a security token, smart card, phone number or, in my case, an authenticator app. But if the Microsoft Authenticator is set up on multiple devices, I have increased the probability that someone could use a device that I am not in possession of to authenticate a malicious login attempt.

While it’s unlikely that an online hacker has access to both my credentials and my authentication device, it’s a definite possibility from a malicious co-worker or an individual planted into an organisation to obtain unauthorised access. So multiple authenticators are probably not suitable if you’re working with highly sensitive information.

You also don’t want to be in the situation where someone is trying to log on with your stolen credentials while you’re 4 year old is approving authentication requests on your personal tablet.

On the other hand, having Microsoft Authenticator on multiple devices ensure you can use your secondary device to confirm your identity if your primary device is lost or broken. This means you can recover without having to speak to your IT admins or Microsoft, and is suitable for most businesses.

Should I use multiple authenticators?

From a security-perspective, the best approach is to limit yourself to a single device that is always in your possession, which is usually your smart phone. However, the added convenience of using Microsoft Authenticator on multiple devices is usually fine as long as you use some common sense. Here are some tips if you’re going to use it on multiple devices.

  • Restrict yourself to as few authentication devices as possible

  • Ensure your authentication devices are password or PIN protected

  • Don’t install Microsoft Authenticator on devices you share with other people, like the kids’ iPad or your partner’s smart phone

  • Delete old authenticators from your account

How to set up the Microsoft Authenticator in Office 365

If you’re not already using Azure MFA for Office 365 then I recommend you set it up as soon as possible. This will protect you if you’re the victim of a phishing scam and have accidentally given away your login credentials.

You can follow these steps to start setting up the Microsoft Authenticator app.

  1. Log into using your Microsoft Office 365 credentials

  2. Click “Manage Security & Privacy”

  3. Click “Additional security verification”

  4. Click “Update your phone numbers used for account security”

  5. Click “Set up Authenticator app” and follow the prompts

Once your done, you’ll see your devices listed as shown below. This is where you can now manage your multiple verification devices. Be sure to remove any old authenticator apps from the list.