For several weeks, Microsoft Authenticator has been available as an alternative to Duo Security for Multifactor authentication (MFA) on campus. As people get used to innovations like passwordless sign-in and the ability to back up their passkeys, a few discussions have been had amongst the implementation team during the rollout. We spoke with a few members of the Microsoft Authenticator Adoption Project team about their experiences.
Shanta Ball, Project Manager: The nice thing about this app is that we all use it differently, which is nice. Some people may prefer the passkey over the matching number. I’m the opposite. I’m not a fan of the passkey, but that’s just me. I’m sure everyone has a different opinion on what their favorite thing is and how they’d like to log in…and we have those options now. With Duo, you have to do it the Duo way. There are no options.
Ian Aberle, Sr. IT Communications Specialist and Trainer: Yeah, there is something satisfying about that. I’m actually doing something actively, like typing in that two-digit number, as opposed to just kind of blindly holding up the phone to my face… but I have to say, “I love that feature.” I can sign in so quickly now.
Graeme Varga, Identity Engineer: That’s part of the spec, which is called a gesture. You must make some gestures for things to happen. So, that’s going to be doing something like number matching and then using Face ID or tapping the button on your YubiKey and entering a PIN.
To the point of user experiences, Microsoft will soon introduce device-based login experiences. So, when you said you didn’t like passkeys—which are device-bound currently, you will soon have the option to use an alternative method, and that alternative method will be remembered for the device you are using.
Currently, if you have a passkey on your Authenticator app and you’re logging into a service on your phone, your phone will automatically see your passkey and present it as an option. So, in that situation, it’s extremely user-friendly, but if you are on your desktop and prefer another method or that device doesn’t support passkeys, it will still default to the passkey since it’s the last method successfully used. This isn’t ideal, but there are easy ways to get back on track.
Here’s an example. If you use passkeys, the next time you log in, no matter where you are or what device you are using, it will default to the passkey first. If you find yourself in this situation you will need to hit ‘cancel’ on the login page where you will then be presented with options to use other methods, you have registered or even your password if no other methods are supported on that device. In the future, your login method will be remembered based on the device you are using, and it will always present the right login method for that device.
Ian: While the device-based preferences are not here yet, I’m glad to know they are on Microsoft’s roadmap. I’m happy to know that by switching to Microsoft Authenticator, I’m going to be able to take advantage of these features soon. What else should we know?
Graeme: We have some people using the camera app on their phone to scan the QR code on the wiki, and it wasn’t working. Unfortunately, you have to go into the Microsoft Authenticator app and click the + (plus) icon at the top, select Work or school account, and then use the Scan QR Code, or click the blue QR code button at the bottom of the main page.
Shanta: As to backing up passkeys, I’m curious what it’s backing up, because my account backed up fine.
Graeme: Microsoft Authenticator displays a notice, and like many of us, you might have dismissed it and then just never show it again. But this notice was basically telling us, ‘Now your Authenticator app automatically backs up to your iCloud account’, so you no longer need to go into your settings and turn it on anymore, is automatically enabled now. If you’re already backing up your phone to the cloud, it will just be part of that process, and your account will automatically show up in the Authenticator app in the event you need to replace or restore your phone. It’s important to remember though, you will still need to use strong authentication to completely restore your device as MFA or passwordless capable, so always having a backup device such as an iPad or security hardware key registered is crucial to not get locked out.
Ian: That’s one of those things we definitely want to highlight in the FAQ or in a blog post, especially when you know some of us will be getting new phones for the holidays…fingers crossed.
If you are interested in switching from Duo to Microsoft Authenticator, simply install the Microsoft Authenticator app on your mobile device (available for iOS and Android), follow these instructions, and complete the enrollment form to join our early adopters group.
As always, if you need additional assistance, feel free to contact the IT Help Desk at 214-768-HELP (4357) or email help@smu.edu.
Updated 11/14/2025: Clarified details of the gesture.
