Microsoft Authenticator Gains Password Management and Autofill Capabilities

Posted on December 15, 2020 by Paul Thurrott in Cloud, Google Chrome, Microsoft Edge, Mobile with 35 Comments

Microsoft Authenticator can now provide password management and autofill capabilities on mobile, so you can protect synced passwords with multi-factor authentication (MFA), and using the Microsoft account you trust. This capability is now available in public preview.

“Microsoft Authenticator can now securely store and autofill passwords on apps and sites you visit on your mobile device,” Microsoft’s Rajat Luthra writes in the announcement post. “Once you make Authenticator an autofill provider, it will offer to save your passwords when you enter them on a site or app’s login page. Your passwords are protected on mobile with multi-factor authentication [and] are synced using your Microsoft account (outlook.com, hotmail.com, live.com, etc.), making them also available on your desktop with Microsoft Edge and [Google Chrome using a] new Chrome extension.”

To date, Microsoft Authenticator has provided MFA capabilities for your Microsoft, Azure Active Directory (AAD), and other compatible accounts. But this new capability dramatically expands the functionality of the app, letting you also sync all of your passwords more securely through your Microsoft account on mobile. That is, you can now replace the default password management and autofill capabilities on your phone with Microsoft Authenticator.

To get started, update Microsoft Authenticator to the latest version and then navigate to Settings > Beta > Autofill and enable this feature. A new Passwords tab will appear in the main app view alongside the previous tab, now called Authenticator.

Then, you need to configure Authenticator as your autofill provider. On iPhone, open Settings, search for “Autofill Passwords,” and then select “Autofill Passwords” and then “Authenticator.” On Android, open Settings, search for “Autofill,” and then select “Auto-fill service,” “Auto-fill service,” and then “Authenticator.”

These passwords will automatically sync with Microsoft Edge on desktop. If you’re using Google Chrome despite all common sense, then you can install the Microsoft Autofill extension to gain this ability.

A couple of more important points.

Microsoft Authenticator only supports password management and sync through a Microsoft account. You cannot use this feature with a commercial (AAD-type) account; admins interested in enabling autofill through the Microsoft Authenticator app for their organization can refer to the Microsoft Docs website.

Microsoft Authenticator password management and sync also requires iOS 12.0 or newer or Android 6.0 or newer.

Tagged with , , ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (40)

40 responses to “Microsoft Authenticator Gains Password Management and Autofill Capabilities”

  1. j5

    I like MS Authenticator and the layout of it. I just wish you could install it on PC too. I like that feature of Authy. What if I don't have access to my phone for whatever reason. I can still log into my accounts with the PC version.

    • hellcatm

      In reply to j5: "Your passwords are protected on mobile with multi-factor authentication [and] are synced using your Microsoft account (outlook.com, hotmail.com, live.com, etc.), making them also available on your desktop with Microsoft Edge and [Google Chrome using a] new Chrome extension.”

      You can with a chrome extension. Unless you mean logging into apps as well?

  2. jdawgnoonan

    I joined the beta for Microsoft Authenticator, but unfortunately policy for the application will not allow me to try the password manager due to my work-related Teams account that I have the application set up with.

  3. wright_is

    I currently use LastPass, but without a Windows client, the MS Authenticator solution is useless, to me. I need my passwords in Windows about 98% of the time and 2% on mobile - mainly when setting up a new phone every 2 years or so.

    Edit: Just checked my Authenticator app, feature not available currently. There is no "beta features" option in settings and I checked with Google Play, I am running the latest version (no updates available).

  4. maktaba

    Can you manually add username and password in the app? Or do you have to log in the website with the Edge browser for it save the password?

  5. codymesh

    this is pretty sweet but isn't it bad security practice to have both the password manager and 2fa as the same app/service?

  6. crunchyfrog

    This is an important step for authenticator but I still can't use it much over LastPass. I only have a few accounts that use Microsoft's tool.

  7. JerryH

    I guess this is OK, but they need to bring it to PC / Mac as well if they want to get any traction against perennial favorites like LastPass. After that, they can look into Family settings where you can share some of the passwords, etc. Until then, it seems like just an also ran.

  8. simard57

    "To get started, update Microsoft Authenticator to the latest version and then navigate to Settings > Beta > Autofill and enable this feature."

    my Autofill setting is all grayed out - am I missing something?

    • simard57

      In reply to Simard57:

      from Microsoft -- however I am using a personal account, not work account

      Q: What if Autofill switch is grayed out for me in Settings?

      A: Autofill is currently in beta and has not yet been enabled for all organizations or account types. If the Autofill switch in Settings is grayed out for you, it is likely because you are using Authenticator app with your work account. You can use this feature on a device where your work account isn’t added. If your organization works with Microsoft, the Autofill switch will be enabled even when a work account is added to Authenticator.

  9. behindmyscreen

    Password generation.....Why do they not include this!

  10. dftf

    What 2FA app would people generally recommend, how often do they go wrong (such as not give you a code, or require you to somehow re-prove identity) and how easy is it to export the data from them, so that if you get a new phone you can get up-and-running straight-away?


    I still use SMS based 2FA for many sites (yeah, yeah, they get sent plain-text and SIM hijacking, I know the risks) as when I've looked into 2FA apps you find loads of horror-stories online about how, especially when changing device, or if a factory reset were ever required on their current one, it's been difficult to get back into the 2FA app, or it's been difficult to get set back up with a lot of sites they use via their own account recovery processes.


    At-least with SMS 2FA it's straightforward...

  11. Bavo Bostoen

    Microsoft should provide detailed information on how these passwords are stored by Edge/Authenticator. How is it stored exactly, where, how is it encrypted, who/what can access => currently it is trivially easy to extract passwords from Edge (or any other browser for that matter). I suppose that is the main reason why most people do not use these built-in browser facilities and choose an external password manager.

    • Paul Thurrott

      I am positive most people, and by a very large margin, use the built-in password managers in web browsers.
      • dftf

        In reply to paul-thurrott:

        Unless you have it disabled via a Group Policy ;)


        I do wonder how there's never been a big security news story around this... I mean, in both Google Chrome and the current Microsoft Edge, your passwords are stored in the "Login Data" file inside your "User Data > Default" folder. So... what's to stop anyone copying-and-pasting this into a different Chrome install and then being able to log into all your websites?


        (In Firefox, I think the files are "key4.db" and "logins.json")

  12. marcosbabu

    Just should add that password management won't work with AAD accounts *even* if a Microsoft-account is present. You gotta remove the AAD account for the beta button to be enabled.

  13. colin79666

    Will be interesting to see exactly how this works, particularly with an eye on security and if it supports import from csv. Can’t use Apple keychain outside their walled garden.


    Potentially a replacement for LastPass now that LogMeIn have ruined its simplicity and tripled the price.

  14. hillcountry

    Did Microsoft mention of this will eventually work with the Teams Safe on mobile or OneDrive Vault? I hope Microsoft has a plan to integrate/consolidate the password and secure files features of Edge, Authenticator, OneDrive Vault, and Teams Safe.

  15. rmlounsbury

    Finally! With this update I could potentially get rid of 1Password and it's annual cost and drop Authy and just use Microsoft Authenticator for both functions. I've been wanting Microsoft to have even just a standalone password management app for ages now.


    On the business side of things I don't have to leverage a third party for password management either. Now we can leverage Edge and Authenticator instead as part of the M365 suite.

  16. ponsaelius

    I am thinking of moving from Lastpass with this. The question is how do I import my existing passwords into edge? Is it as secure or maybe more secure?


    Certainly worth thinking about.

    • rmlounsbury

      In reply to ponsaelius:

      I think in reference to security it is all up to how much you trust Edge when it comes to storing sensitive information. Since on the desktop Edge is where most of this will live.


      I'm wondering the same thing on importing passwords from a service into Edge so it can sync to Authenticator. You can import passwords from another browser but I can't find a way to import from an file generated by a password manager app.

  17. tony_ansley

    Maybe I am missing it, but I don't see a way to store general information (such as Address, CC, SSN, etc) to use for filling out those god-awful shipping forms.


    [edit]

    Also, need a password generator.

    • rmlounsbury

      In reply to tony_ansley:


      You can store address info in Edge and use that to auto-fill forms on websites. You can also save payment information in Edge and fill it that way as well. The only thing that is missing would be the secure notes for things like SSN for auto-fill. You can also use Edge to suggest strong passwords.


      But, the system Microsoft is building does appear to generally rely on you using Microsoft applications (Authenticator + Edge).

    • Paul Thurrott

      Yep. I'm surprised there isn't a generator.
  18. jlmerrill

    I think I have the latest and and don't see he beta option in settings.

  19. bluvg

    Saw this from Brad over at Petri also. If they added a system credential provider for Windows using Authenticator, this would be a HUGE benefit for businesses. That is sorely lacking right now. It's astonishing given Microsoft's focus on security that this is not built in, especially for RDP scenarios where they curiously sidestep the issue whenever the question is raised.

    • Paul Thurrott

      Yes. I've always wondered why Microsoft doesn't have this kind of thing, if only for store apps. You have to manually sign-in to every service. On Android and iOS, it's automated for you by password auto-fill.
  20. mikefrommarkham

    " ... and using the Microsoft account you trust."


    And therein lies my problem: I don't trust Microsoft (nor Google, nor Amazon) enough to let them be the caretakers of my passwords, etc.


    Pass.

Leave a Reply