You can use the Microsoft Authenticator application to complete MFA (Multi-Factor Authentication) sign-in when your mobile device has no connectivity. The Authenticator application functions as the primary and backup sign-in method.
The scenario for this would be that you have connectivity on your workstation to access cloud applications, but your mobile device has no connectivity. This could be an issue with data connectivity only or complete connectivity issues on the mobile device such as having no signal.
When push notification is enabled for the Microsoft Authenticator application you would receive a notification on your device which you can approve or deny to complete sign-in. When your mobile device has no data, you will not be able to receive these push notifications.
You won’t be able to receive any text (SMS) messages when your mobile device has no signal. This would mean that you also cannot use the text method as a backup sign-in method. This may be a concern as you may think that you will not be able to complete the sign-in request in these situations.
The Microsoft Authenticator application provides a backup sign-in method when configured to use push notifications. This backup method can be used in situations when you have no connectivity on your mobile device.
MFA number matching changes the “Approve” or “Deny” behavior and will be enabled by default after 27 February 2023. You can read more on number matching in my other blog post.
Backup sign-in method
The Microsoft Authenticator application automatically generated codes which can be used for sign-ins even when push notification is set as your default sign-in method. The auto generated code can be used as a backup sign-in method when your mobile device has no connectivity.
Using the Microsoft Authenticator auto generated code as backup sign-in method
The user configured the Microsoft Authenticator with push notifications as the default sign-in method. Phone (Text) is also configured as a sign-in method.
The default behavior during sign-in with this configuration would be a notification on my mobile device to approve the sign-in request. Number matching is enabled for this user, thus the prompt on my workstation would appear as per the image below:
The mobile device is set to airplane mode to simulate the scenario of having no connectivity. This results in not being able to approve the sign-in request using the Microsoft Authenticator application. I also won’t be able to receive a text message on my mobile device to complete the sign-in. It may seem that I do not have any available sign-in method to complete the sign-in request.
I can wait for the timeout to occur and select “Enter a security code from your Microsoft account or authenticator app instead” on the sign-in window as per image below:
This will take me directly to the next window which will prompt for the code:
I can also select “I can’t use my Microsoft Authenticator app right now” on the sign-in window instead of waiting for the request to time out.
This will prompt me to select an alternative sign-in method based on the available methods configured during MFA setup or added later using the “My Security Info” page. I won’t be able to use text thus I will select “Use a verification code”.
This will take me to the sign-in window prompting to enter the code:
I can obtain the code by selecting the appropriate account in the Microsoft Authenticator application.
I can now use the code from the Authenticator application to complete the sign-in request. The code will continue to change every 30 seconds even with no connectivity on the mobile device.
The Microsoft Authenticator application can be used as your primary and backup sign-in method. You don’t need to rely on a text message and can still complete a sign-in request when your mobile device has no connectivity.