Microsoft has announced that it will discontinue the password storage and autofill feature in the Authenticator app starting in July and will complete the deprecation in August 2025.
The decision is to streamline autofill support and consolidate credentials management under a single platform, Microsoft Edge.
The move requires action from impacted users as they are given until August 1, 2025, to export their information from Authenticator, or risk losing it.
Microsoft Authenticator is a free mobile app (iOS and Android) that provides secure sign-in for mobile accounts using multi-factor authentication (MFA) methods like time-based one-time passwords (TOTPs), push notifications, or biometrics-based confirmations.
The app supports authentication for Microsoft services like Microsoft accounts, Azure AD, and GitHub, as well as non-Microsoft platforms.
The autofill feature was added to mobile Authenticator apps in December 2020, allowing users to fill their credentials saved in the Authenticator on sign-in forms automatically.
Support for this feature is about to end, though, as Microsoft announced the phased deprecation of autofill in three steps:
- June 2025: You can no longer save new passwords in Authenticator.
- July 2025: Autofill will stop working in Authenticator; stored payment info will be deleted.
- August 2025: Saved passwords and unsaved generated passwords will no longer be accessible in Authenticator.
Users pushed to (the) Edge
Microsoft announced that autofill and the password manager are now moving to its browser, Edge.
Users who want to continue using the passwords saved in Microsoft Authenticator for autofill will need to install Microsoft Edge on their phone (iOS, Android).
"Your saved passwords (but not your generated password history) and addresses are securely synced to your Microsoft account, and you can continue to access them and enjoy seamless autofill functionality with Microsoft Edge," reads the announcement.
To complete the migration of the autofill functionality to Microsoft's browser, users need to find 'Autofill/Passwords' in their device settings and choose Edge as the preferred service.
Then, launch Edge and sign in with your Microsoft account to allow the syncing of passwords to begin.
If everything is done correctly, all passwords should be accessible via Settings > Passwords on Edge.
If users don't want to use Edge, Microsoft allows exporting passwords so they can be moved to another password manager, but this must be done before August 1, 2025. For payment information, July 2025 is the deadline.
To export passwords from Microsoft Authenticator, select menu > Settings > Autofill > Export Passwords > select an export location and tap 'Save.'
The importing process is only applicable to account passwords. Payment info will have to be manually re-inputted for security reasons.
Microsoft noted that Passkeys will continue to be supported in Authenticator, so users who actively use them to sign in to their Microsoft Accounts must ensure the app remains enabled as their Passkey Provider.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
YZZCfubwAYcgKtRhitg - 7 months ago
They are literally forcing users to use edge lol. many innocent people will just download edge browser because of this.
leexgx - 7 months ago
I use edge automatically anyway (adblock Built in, I try using chrome mobile but websites are practically unusable on mobile with ads)
But it extremely bugs me that it will NOT use the system set autofill (on including address passwords/payments) so I have to open chrome copy the password and paste it into edge) if chrome had a built in adblocker I wouldn't even use edge at all
ZeroYourHero - 7 months ago
Antitrust violation?
XSp - 7 months ago
Another walled garden dictating how it's users should use their own computers...
Makes it easier for bad actors to exploit vulnerabilities too, since everyone is obliged to do use the same stuff, do the same thing, etc.
Princeps - 7 months ago
LOL this is after they updated their setup flow to encourage you to set up a Passkey, which requires setting your password autofill provider on iOS to Authenticator
JustinFlynn - 7 months ago
So I must have read this differently.
"If you want to use their services, you need to use their product."
I don't use Edge either.
dalewb2 - 6 months ago
It would be nice if they clarified that not just passkeys but one-time passwords (the two-factor connections you setup for different accounts) are being retained as well.
I was initially concerned that Authenticator relies on the older, less-secure HMAC-SHA-1 (https://answers.microsoft.com/en-us/msoffice/forum/all/authenticator-app-not-working-with-sha-256-and-sha/b13f2aec-f259-4ab2-9dc8-f69bcf3ad0c1) until I did some digging with MS CoPilot and learned that SHA-1 used in this context is still considered secure enough for the purpose of time-limited one-time passcodes due to the short-lived nature of the codes (typically 30 seconds), and the use of HMAC, which is not vulnerable to the same attacks as plain SHA-1.
So if you're only using Authenticator for the purpose of Time-based One-Time Passwords (TOTP) you can breathe easy - for now.