Microsoft Authenticator can now provide password management and autofill capabilities on mobile, so you can protect synced passwords with multi-factor authentication (MFA), and using the Microsoft account you trust. This capability is now available in public preview.
“Microsoft Authenticator can now securely store and autofill passwords on apps and sites you visit on your mobile device,” Microsoft’s Rajat Luthra writes in the announcement post. “Once you make Authenticator an autofill provider, it will offer to save your passwords when you enter them on a site or app’s login page. Your passwords are protected on mobile with multi-factor authentication [and] are synced using your Microsoft account (outlook.com, hotmail.com, live.com, etc.), making them also available on your desktop with Microsoft Edge and [Google Chrome using a] new Chrome extension.”
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
To date, Microsoft Authenticator has provided MFA capabilities for your Microsoft, Azure Active Directory (AAD), and other compatible accounts. But this new capability dramatically expands the functionality of the app, letting you also sync all of your passwords more securely through your Microsoft account on mobile. That is, you can now replace the default password management and autofill capabilities on your phone with Microsoft Authenticator.
To get started, update Microsoft Authenticator to the latest version and then navigate to Settings > Beta > Autofill and enable this feature. A new Passwords tab will appear in the main app view alongside the previous tab, now called Authenticator.
Then, you need to configure Authenticator as your autofill provider. On iPhone, open Settings, search for “Autofill Passwords,” and then select “Autofill Passwords” and then “Authenticator.” On Android, open Settings, search for “Autofill,” and then select “Auto-fill service,” “Auto-fill service,” and then “Authenticator.”
These passwords will automatically sync with Microsoft Edge on desktop. If you’re using Google Chrome despite all common sense, then you can install the Microsoft Autofill extension to gain this ability.
A couple of more important points.
Microsoft Authenticator only supports password management and sync through a Microsoft account. You cannot use this feature with a commercial (AAD-type) account; admins interested in enabling autofill through the Microsoft Authenticator app for their organization can refer to the Microsoft Docs website.
Microsoft Authenticator password management and sync also requires iOS 12.0 or newer or Android 6.0 or newer.
dftf
<blockquote><em><a href="#600316">In reply to paul-thurrott:</a></em></blockquote><p>Unless you have it disabled via a Group Policy ;)</p><p><br></p><p>I do wonder how there's never been a big security news story around this… I mean, in both Google Chrome and the current Microsoft Edge, your passwords are stored in the "Login Data" file inside your "User Data > Default" folder. So… what's to stop anyone copying-and-pasting this into a different Chrome install and then being able to log into all your websites?</p><p><br></p><p>(In Firefox, I think the files are "key4.db" and "logins.json")</p>
dftf
<p>What 2FA app would people generally recommend, how often do they go wrong (such as not give you a code, or require you to somehow re-prove identity) and how easy is it to export the data from them, so that if you get a new phone you can get up-and-running straight-away?</p><p><br></p><p>I still use SMS based 2FA for many sites (yeah, yeah, they get sent plain-text and SIM hijacking, I know the risks) as when I've looked into 2FA apps you find loads of horror-stories online about how, especially when changing device, or if a factory reset were ever required on their current one, it's been difficult to get back into the 2FA app, or it's been difficult to get set back up with a lot of sites they use via their own account recovery processes.</p><p><br></p><p>At-least with SMS 2FA it's straightforward…</p>