We're using the Microsoft Authenticator App for providing Multi-factor authentication (MFA) to resources protected by Azure AD.
I noticed you can approve a request by swiping the push notification from a locked iPhone screen on iOS and approve a login request.
Isn't this really insecure? This means a bad actor can access do multi-factor approval from a locked phone from a browser that is pre-authenticated.
Scenario A:
A user is logged in on Windows 10 with the Azure AD account in Windows.
1. Bad actor tries to open a resource, in my case through Visual Studio; just click the already authenticated account (no password required).
2. Swipe the push on the users device (not uncommon to be on a desk inside the office)
3. Tap approve and you're in!
Scenario B:
A user have the password auto-filled in their browser.
1. The user open a resource, like Outlook Online, just click
login without entering password since it is auto-filled.
2. Swipe the push on the users device (not uncommon to be on a desk inside the office)
3. Tap approve and you're in!
UPDATE:
I can also open Internet Explorer and Edge and get right into O365 without ever typing a password just by having a computer (without login password) and a locked iPhone.
View on locked screen (in Swedish):
Best Answer
If I understand your scenario, an actor has stolen both the users laptop and IPhone (which apparantly in Sweden is stored with the laptop) and you've not configured either autofill or password storage settings in edge. You've also not configured any of the sensitive content on the locks screen settings.
But your contention is that the MFA app is the problem...
Your logic appears flawed. The most obvious problem is that keeping the iPhone and laptop together defeats the point of MFA. The app should be on a device separate from the laptop.