The Microsoft Authenticator app for iOS devices is now compliant with the U.S. government’s “Federal Information Processing Standards (FIPS) 140” security standard, according to a Thursday Microsoft announcement.
FIPS 140 compliance is currently available when using Microsoft Authenticator “version 6.6.8 and higher” on iOS devices. Microsoft described the compliance in terms of Azure Active Directory product interactivity, as follows:
Authenticator version 6.6.8 and higher on iOS is FIPS 140 compliant for all Azure Active Directory (Azure AD) authentications using push multifactor authentications (MFA), Passwordless Phone Sign-In (PSI), and time-based one-time passcodes (TOTP).
Microsoft Authenticator is FIPS 140 compliant for iOS devices, but Microsoft stopped short of saying that it was certified. Being FIPS 140 compliant means that Authenticator relies on FIPS 140-validated products for its cryptographic functioning, according to this Microsoft “Overview” document on FIPS 140-2. The term “validated,” on the other hand, gets used when products have been certified by the Cryptographic Module Validation Program, overseen by the U.S. National Institute of Standards and Technology and the Canadian Centre for Cyber Security.
Specifically, Microsoft Authenticator uses Apple’s cryptography to “achieve FIPS 140, Security Level 1 compliance on Apple iOS devices,” Microsoft’s announcement explained.
Microsoft suggested that Authenticator’s FIPs 140 compliance would help federal agencies that are carrying out the “requirements of the Biden administration’s Executive Order (EO) 14028, ‘Improving the Nation’s Cybersecurity,'” as well as healthcare organizations working with the Electronic Prescriptions for Controlled Substances (EPCS) rule concerning electronic prescriptions.
Microsoft is next working to assure FIPS 140 compliance for Authenticator on Android devices, which will be “coming soon.”
At a larger level, Microsoft is now one of four cloud services contractors vying for Pentagon dollars. The U.S. Department of Defense’s $9 billion Joint Warfighting Cloud Capability program, formerly called the Joint Enterprise Defense Infrastructure (JEDI) program, is getting contracted out to Alphabet (Google’s parent company), Amazon Web Services, Oracle and Microsoft, according to a Dec. 7 Reuters story.
Microsoft outlined all of its assets to deliver an “enterprise-level tactical cloud” to U.S. military agencies in this Dec. 8 announcement.
“With comprehensive infrastructure and data management solutions like Azure Arc, Microsoft Purview and Defender for Cloud, Microsoft will be a key partner to the DoD as they navigate the multi-cloud environment and ensure seamless interoperability of systems and services,” the announcement indicated.
About the Author
Kurt Mackie is senior news producer for 1105 Media’s Converge360 group.