Microsoft Authenticator

When you sign in on a new device or from a new location, we'll send you a security code to enter on the sign-in page. For more info about the authenticator app, see How to use the Microsoft Authenticator app. Turn two-step verification on or off. Go to the Security basics page and sign in with your Microsoft account. Select More security options. NIST SP 800-63B defines the technical guidelines for the implementation of digital authentication. It does so with a framework of authenticator assurance levels (AALs). AALs characterize the strength of the authentication of a digital identity. The guidance also covers the management of the lifecycle of authenticators, including revocation. Feb 22, 2021 The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android and iOS. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password.

Microsoft Authenticator

-->

Important

This content is intended for users. If you're an administrator, you can find more information about how to set up and manage your Azure Active Directory (Azure AD) environment in the administrative documentation for Azure Active Directory.

If you're having issues signing in to your account, see When you can't sign in to your Microsoft account for help. Also, you can get more info about what to do when you receive the “That Microsoft account doesn't exist” message when you try to sign in to your Microsoft account.

Microsoft Authenticator App Desktop

The Microsoft Authenticator app helps you sign in to your accounts if you use two-factor verification. Two-factor verification helps you to use your accounts more securely because passwords can be forgotten, stolen, or compromised. Two-factor verification uses a second factor like your phone to make it harder for other people to break in to your account. You can use the Microsoft Authenticator app in multiple ways, including:

  • Two-factor verification. The standard verification method, where one of the factors is your password. After you sign in using your username and password, you can either approve a notification or enter a provided verification code.

  • Phone sign-in. A version of two-factor verification that lets you sign in without requiring a password, using your username and your mobile device with your fingerprint, face, or PIN.

  • Code generation. As a code generator for any other accounts that support authenticator apps.

Authenticator works with any account that uses two-factor verification and supports the time-based one-time password (TOTP) standards.

Your organization might require you to use the Authenticator app to sign in and access your organization's data and documents. Even if your user name appears in the app, the account isn't set up as a verification method until you complete the registration. For more information, see Add your work or school account.

Download and install the app

Install the latest version of the Microsoft Authenticator app, based on your operating system:

  • Google Android. On your Android device, go to Google Play to download and install the Microsoft Authenticator app.

  • Apple iOS. On your Apple iOS device, go to the App Store to download and install the Microsoft Authenticator app.

Microsoft Authenticator

Important

If you're not currently on your mobile device, you can still get the Microsoft Authenticator app by sending yourself a download link from the Microsoft Authenticator page.

Microsoft Authenticator App Windows

Next steps

After you download and install the app, check out the Authenticator app overview to learn more. For more setup options, see:

  • Authenticator app. Download and use an authenticator app to get either an approval notification or a randomly generated approval code for two-step verification or password reset. For step-by-step instructions about how to set up and use the Microsoft Authenticator app, see Set up security info to use an authenticator app.

  • Mobile device text. Enter your mobile device number and get a text a code you'll use for two-step verification or password reset. For step-by-step instructions about how to verify your identity with a text message (SMS), see Set up security info to use text messaging (SMS).

  • Mobile device or work phone call. Enter your mobile device number and get a phone call for two-step verification or password reset. For step-by-step instructions about how to verify your identity with a phone number, see Set up security info to use phone calls.

  • Security key. Register your Microsoft-compatible security key and use it along with a PIN for two-step verification or password reset. For step-by-step instructions about how to verify your identity with a security key, see Set up security info to use a security key.

  • Email address. Enter your work or school email address to get an email for password reset. This option isn't available for two-step verification. For step-by-step instructions about how to set up your email, see Set up security info to use email.

  • Security questions. Answer some security questions created by your administrator for your organization. This option is only available for password reset and not for two-step verification. For step-by-step instructions about how to set up your security questions, see the Set up security info to use security questions article.

Microsoft Authenticator-->

The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for Android and iOS. With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication events.

Users may receive a notification through the mobile app for them to approve or deny, or use the Authenticator app to generate an OATH verification code that can be entered in a sign-in interface. If you enable both a notification and verification code, users who register the Authenticator app can use either method to verify their identity.

To use the Authenticator app at a sign-in prompt rather than a username and password combination, see Enable passwordless sign-in with the Microsoft Authenticator app.

Note

Users don't have the option to register their mobile app when they enable SSPR. Instead, users can register their mobile app at https://aka.ms/mfasetup or as part of the combined security info registration at https://aka.ms/setupsecurityinfo.

Passwordless sign-in

Instead of seeing a prompt for a password after entering a username, a user that has enabled phone sign-in from the Microsoft Authenticator app sees a message to tap a number in their app. When the correct number is selected, the sign-in process is complete.

This authentication method provides a high level of security, and removes the need for the user to provide a password at sign-in.

To get started with passwordless sign-in, see Enable passwordless sign-in with the Microsoft Authenticator app.

Notification through mobile app

The Authenticator app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the notification, and if it's legitimate, select Verify. Otherwise, they can select Deny.

Note

If your organization has staff working in or traveling to China, the Notification through mobile app method on Android devices doesn't work in that country/region as Google play services(including push notifications) are blocked in the region. However iOS notification do work. For Android devices ,alternate authentication methods should be made available for those users.

Verification code from mobile app

The Authenticator app can be used as a software token to generate an OATH verification code. After entering your username and password, you enter the code provided by the Authenticator app into the sign-in interface. The verification code provides a second form of authentication.

Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time.

Warning

To ensure the highest level of security for self-service password reset when only one method is required for reset, a verification code is the only option available to users.

When two methods are required, users can reset using either a notification or verification code in addition to any other enabled methods.

Next steps

Microsoft authenticator app not working

To get started with passwordless sign-in, see Enable passwordless sign-in with the Microsoft Authenticator app.

Microsoft authenticator link

Learn more about configuring authentication methods using the Microsoft Graph REST API.