Enforce Microsoft Authenticator App Lock
We would like to enforce the 'app lock' setting on the Microsoft Authenticator app to force users to either enter their device passcode or use biometric authentication before opening the app.
This could be through an Intune app config or a built in setting.
Currently if an unlocked device was compromised, the attacker would be able to circumvent account MFA security.
Alex M commented
Currently Authentiator App is a single auth factor (something you have). The app can be used on mobiles with no device lock. Please enable us to require an additional factor (PIN/biometric) to access validation checks for our tenant if the device has no lock configured. Something like Intune MAM policy that requires app level auth if there's no device lock.
Kurt Roggen commented
Another relevant consideration is to provide MAM support for the MS Authenticator app when managed though Intune.
Alex Janes commented
I'm amazed this isn't available as a feature. Microsoft explains that the password if the thing you know, and the phone is the thing you have. So you don't need to unlock the phone, since the thing you know was already accounted for.
I get it. But it still should be enforcable to lock the app.
It's a real security risk if a users mobile device is compromised in an unlocked state and the Authenticator App needs no separate authentication. Hope this is high on the roadmap!