Unit 3: Explore Authenticator App and OATH Tokens

Microsoft Authenticator App

The Microsoft Authenticator app:

• Is available for Android and iOS.
• Can be used for passwordless sign-in, MFA, and SSPR verification.
• Sends push notifications that users approve or deny.
• Can generate OATH verification codes as software tokens.

Use cases:

• Passwordless sign-in to Entra accounts.
• Secondary verification during SSPR.
• Secondary factor in MFA.

Behavior:

• Users may receive a notification and choose Verify if legitimate or Deny if suspicious.
• The app can also display a time-based OATH code that the user manually enters during sign-in.
• Users can have up to five OATH hardware tokens or authenticator applications configured at the same time.

Open Authentication (OATH) Tokens

OATH TOTP (Time-based One-Time Password):

• Is an open standard for generating one-time codes.
• Codes are time-based.
• Implemented via software or hardware tokens.
• Microsoft Entra ID does not support OATH HOTP (counter-based).
• HOTP (HMAC-based One-Time Password):
• Counter-based OTP standard defined by OATH.
• OTP changes after each use.

HMAC stands for: Hash-based Message Authentication Code.

OATH software tokens:

• Typically apps like Microsoft Authenticator or other OATH apps.
• Entra ID generates the secret key (seed). (We enter this to setup authenticator app but usually we just use the QR code to set it up)
• Seed is entered into the app to generate each OTP.

🔍 What Happens When You Scan the QR Code

• The QR code contains the seed (the shared secret key), encoded in a standard format like otpauth://.

• When you scan it with Microsoft Authenticator (or any OATH-compliant app), the app:

• Extracts the seed
• Stores it securely
• Starts generating TOTP codes every 30 seconds

Important behaviors:

• Authenticator app automatically generates codes when set up for push notifications, so it works even without connectivity.
• Third-party OATH TOTP apps can also be used if they support TOTP.