Microsoft Authenticator on iOS moves the backups entirely to iCloud


Microsoft deploys a new backup system in September for its authenticator on iOS, deleting the requirement to use a Microsoft personal account to save secrets and TotP account names.

Previously, the Microsoft Authenticator application forced iOS users to connect with a personal Microsoft account to activate backups, whether it uses the application for personal or business identification information.

This has created problems in corporate environments where organizations often like to separate personal and corporate data.

The new backup system will continue to use the connected iCloud account to store backups, but more with the requirement to use a Microsoft account. If the company uses an Apple ID managed on its company devices, this will be used in place of a personal account.

Microsoft claims that this new feature will start to deploy in September and will be completed in early October 2025, users having shown notification on the new experience in the application, as indicated below.

Warning in the application concerning upcoming change
Source: Microsoft

Microsoft says that this feature will only be available for users running iOS 16.0 or later with iCloud and iCloud Keychain activated. Once installed, account names and TOTP identification information (secrets) will be saved in iCloud and automatically restored to new devices when using the same Apple account.

“Account names for all the accounts of the Authenticator application – including work or school accounts, Microsoft personal accounts and non -microsoft accounts (such as Amazon, Google) – will be safely saved using the iCloud and iCloud key,” reads Microsoft’s announcement.

The company stresses that only the TOTP secrets will be saved and no other information, and that users can deactivate the backup function via iCloud settings on their device.

Microsoft says that this feature will automatically be deployed to all users without any required administration action.

The feature comes after Microsoft’s recent announcement, they delete the automatic password and authenticator management features.

While cloud attacks can become more sophisticated, attackers always succeed with surprisingly simple techniques.

Based on Wiz detections in thousands of organizations, this report reveals 8 key techniques used by actors in fluid threats.

Leave a Reply

Your email address will not be published. Required fields are marked *