This article answers common questions about Microsoft Authenticator. Select the headings below to see more information.

Verification codes

No. The codes don't require you to be on the internet or connected to data, so you don't need phone service to sign in. Additionally, because the app stops running as soon as you close it, it won't drain your battery.

Sign in responses

Yes. To get sign in notifications and to send your response your device needs to be connected to the internet.

Microsoft Authenticator is not available for desktop computers because authenticator apps are typically designed for smartphones for two main reasons:

  1. Security: Having the second factor of a security question on a separate device enhances security. If both factors (password and authentication) are on the same device, it would be easier for an attacker to compromise both.

  2. Availability: Mobile devices are almost always with the user, making them convenient for authentication purposes. Desktops, on the other hand, are not as portable. Having your authenticator only on your PC means you couldn't sign in away from your home or desk.

A: If you're using Microsoft Authenticator with an Android or iOS work profile, make sure you add biometrics in your work profile. Biometrics for regular security don't always carry over to work profiles.

Verified IDs are secure trusted credentials that can be used by websites and organizations to make account setup simpler and safer. Usually, you'll use your device's camera to capture a QR code on the site to get a new Verified ID, or a verification of an ID already on your device. You still use your password to access credentials to share with another organization.

Sites that request your Verified ID will show up in the usage history in the details of your Verified ID card.  

You can set up notifications for your work or school account (if allowed by your administrator) or for your personal Microsoft account. 

Note: Notifications won't work for third-party accounts, like Google or Facebook.

To switch your personal account over to notifications, you'll have to re-register your device with the account. Go to Add Account, select Personal Microsoft Account, and then sign in using your username and password.

For your work or school account, your organization decides whether to allow one-click notifications.

No, notifications only work with Microsoft personal accounts work or school accounts. Work or school IT admins may turn off this feature.

Adding Authenticator to your new device doesn't automatically remove the app from your old device. Even deleting the app from your old device isn't enough. You must both delete the app from your old device AND tell Microsoft or your organization to forget and unregister the old device.

  • To remove the app from a device using a personal Microsoft account, go to the two-step verification area of your Account Security page and choose to turn off verification for your old device.

  • To remove the app from a device using a work or school Microsoft account, go to the two-step verification area of either your My Apps page or your organization's company portal to turn off verification for your old device.

No, Apple Watch and Android wearable devices (such as Samsung Galaxy Watch) are currently incompatible with Authenticator’s security features, but you can mirror Authenticator notifications from your phone to your wearable device. 

You will see a prompt from Authenticator asking for access to your location if your IT admin has created a policy requiring you to share your GPS location before you are allowed to access specific resources. You’ll need to share your location once every hour to ensure you are still within a country where you are allowed to access the resource.

On iOS, Microsoft recommends allowing the app to access location always. Follow the iOS prompts to grant that permission. Here’s what each permission level will mean for you:

  • Allow while using the app: If you choose this option, you’ll be prompted to select two more options.

  • Always allow (recommended): While you’re still accessing the protected resource, for the next 24 hours, your location will be shared silently once per hour from the device, so you will not need to get out your phone and manually approve each hour.

  • Keep only while using: While you’re still accessing the protected resource, every hour, you’ll need to pull out your device and manually approve the request.

  • Allow once: Once every hour that you’re still accessing the resource, or next time you try to access the resource, you’ll need to grant permission again. You will need to go to Settings and manually enable the permission.

  • Don’t allow: If you select this option, you’ll be blocked from accessing the resource. If you change your mind, you will need to go to Settings and manually enable the permission.

On Android, Microsoft recommends allowing the app to access location all the time. Follow the Android prompts to grant that permission. Here’s what each permission level will mean for you:

  • Allow all the time (recommended): While you’re still accessing the protected resource, for the next 24 hours, your location will be shared silently once per hour from the device, so you will not need to get out your phone and manually approve each hour.

  • Allow only while using the app: While you’re still accessing the protected resource, every hour, you’ll need to pull out your device and manually approve the request.

  • Deny and don’t ask again: If you select this option, you’ll be blocked from accessing the resource.

Authenticator collects your GPS information to determine what country you are located in. The country name and location coordinates are sent back to the system to determine if you are allowed to access the protected resource. The country name is stored and reported back to your IT admin (if applicable), but your actual coordinates are never saved or stored on Microsoft servers.

Authenticator now securely stores and auto-fills passwords on apps and websites you visit on your phone. You can use Autofill to sync and autofill your passwords on your iOS and Android devices. After setting up Authenticator as an autofill provider on your phone, it offers to save your passwords when you enter them on a site or in an app sign-in page. The passwords are saved as part of your personal Microsoft account and are also available when you sign in to Microsoft Edge with your personal Microsoft account.

To turn Autofill on:

  1. Open Authenticator.

  2. On the Passwords tab in Authenticator, select Sign in with Microsoft and sign in using your Microsoft account. This feature currently supports only Microsoft accounts and doesn't yet support work or school accounts.

To make Authenticator the default autofill provider, follow these steps:

  1. Open Authenticator.

  2. On the Passwords tab inside the app, select Sign in with Microsoft and sign in using your Microsoft account.

  3. Do one of the following:

    • On iOS, under Settings, select How to turn on Autofill in the Autofill settings section to learn how to set Authenticator as the default autofill provider.

    • On Android, under Settings, select Set as Autofill provider in the Autofill settings section.

Notes: 

  • If Autofill is not available for you in Authenticator, it might be because autofill has not yet been allowed for your organization or account type.

  • Password autofill won't sync work or school account passwords.

For IT Admins:

All enterprises or schools added in Authenticator need to be allowlisted for Autofill in Authenticator for the app owner to be able to use it. The one exception to this restriction is when your employee or student adds their work or school account into Microsoft cloud-based two-step verification as an external or third-party account.

Enterprises can only enable passwords autofill for all or none of their employees.

App Lock helps keep your one-time verification codes, app information, and app settings more secure. When App Lock is enabled, you’ll be asked to authenticate using your device PIN or biometric every time you open Authenticator. App Lock also helps ensure that you’re the only one who can approve notifications by prompting for your PIN or biometric any time you approve a sign-in notification. You can turn App Lock on or off on the Authenticator Settings page. By default, App Lock is turned on when you set up a PIN or biometric on your device. Unfortunately, there's no guarantee that App Lock will stop someone from accessing Authenticator. That's because device registration can happen in other locations outside of Authenticator, such as in Android account settings or in the Company Portal app.

To see your OTP codes in screenshots or allow other apps to capture the Authenticator screen, turn on Screen Capture in Authenticator's Settings and restart the app.

Authenticator collects three types of information:

  • Account info you provide when you add your account. After adding your account, depending on the features you enable for the account, your account data might sync down to the app. This data is stored on your device and can be removed by removing your account.

  • Non-personally identifiable usage data, such as aggregate details about success or failure of important operations that are used to detect decreased reliability and bugs. This minimal data is needed to keep the app updated and secure. You need to accept the notice of this data collection when you use the app for the first time. You can also allow the sharing of additional non-personal usage data by turning on the “Usage Data” toggle button on the app's Settings page or when you use the app for the first time. This data allows our engineers to improve the app in ways that are important to you. This setting can be turned on or off at any time.

  • Diagnostic log data that stays only in the app until you select Send feedback in the app's top menu to send logs to Microsoft. These logs can contain personal data such as email addresses, server addresses, or IP addresses. They also can contain device data such as device name and operating system version. Any personal data collected is limited to information needed to help troubleshoot app issues. You can browse these log files in the app at any time to see the information being gathered. If you send your log files, Authenticator engineers will use them only to troubleshoot customer-reported issues.

For more information, review the Microsoft Privacy Statement.

The active verification code changes every 30 seconds so that if somebody were to learn what code you used to verify your sign in yesterday, or even a minute ago, they wouldn't be able to use that code to get into your account. This timer is the countdown to the verification code changing to the next code. Unlike a password, we don't want you to remember this number. Only someone with access to your phone should be able to get your verification code.

Caution: A common trick of attackers is to contact you via text or phone pretending to be your bank, IT support, or other service provider and saying they need you to read them the code from your Authenticator to verify your identity on the call. Don't give them the code - they're trying to break into your account and are stuck at the verification prompt. No real company should ever ask you to read your verification code to them over the telephone - especially if they called you.

Your work or school organization might require you to register the device to track access to secured resources, such as files and apps. They also might turn on Conditional Access to reduce the risk of unwanted access to those resources. You can unregister your device in Settings, but you may lose access to emails in Outlook, files in OneDrive, and you'll lose the ability to use phone sign-in.

See also

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.