July 3rd, 2025

Microsoft Discontinues Password Management and Autofill Features in Authenticator App

Severity Level: Informational

Technical Details

Threat Level: Informational.

Timeline:

June 2025: Users can no longer add/import new passwords into Authenticator.
July 2025: Autofill stops working; saved payment information is deleted.
August 2025: All saved passwords will be permanently deleted from Authenticator. Unsaved generated passwords will also be erased.

Scope of Change:

Passwords and addresses will no longer be accessible within Authenticator.
Microsoft Edge becomes the new default provider for password autofill for Microsoft accounts.
Passkeys remain functional, but disabling Authenticator will also disable passkey access.

User Impact:

Users must export passwords from Authenticator before August 1, 2025, to avoid losing access.
Exported passwords are unencrypted and must be handled securely during migration.
Manual recreation of payment information will be required, as it will not sync to Edge.

Our Cyber Threat Intelligence Unit is tracking a significant change to Microsoft’s authentication ecosystem: the company is phasing out password management and autofill functionality from the Microsoft Authenticator app by August 2025. This move is part of Microsoft’s broader strategy to consolidate credential management within the Edge browser and move toward a passwordless future by using technologies like passkeys and Windows Hello. It aligns with Microsoft's overall security goals and the growing industry trend of eliminating password-based authentication, which continues to be a major security vulnerability. This change affects an estimated 75 million users or more globally and will impact how users store, autofill, and access credentials across mobile and desktop environments. While passkeys will remain supported, organizations and users relying on Authenticator for password storage must be prepared to export credentials or migrate to alternative solutions.

Impact

Credential Loss: Users who do not export data before August risk losing access to stored credentials.
Operational Disruption: Enterprises relying on Authenticator for autofill across mobile workflows may experience login delays.
Cross-Platform Friction: Organizations that rely on non-Microsoft browsers (e.g., Chrome, Safari) must seek third-party password managers to retain compatibility.
Potential gaps in account security: If credentials are not transitioned securely or are stored in less secure alternatives, overall account security can decrease.
Additional IT overhead: Organizations will face additional overhead to manage password exports, user training, and new tool adoption.
Security Tradeoffs: Push toward passkeys enhances phishing resistance. However, exported passwords not securely deleted post-migration may pose a data leakage risk.

It’s essential to act before the changes go into effect to prevent loss of credentials, reduced login efficiency, and potential exposure of sensitive accounts.

Detection Method

Organizations should note that this is not a traditional exploit but an infrastructure deprecation. Regardless, organizations are advised to:

Audit Device Usage: Identify users or systems relying on Microsoft Authenticator for autofill or password storage.
Monitor Login Failures: Increased authentication errors may indicate migration issues or expired autofill support.
Review Device Configurations:
- Check the default autofill provider settings on mobile and managed devices.
- Validate that Microsoft Edge is appropriately installed and authorized, if used.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Export Passwords Immediately:
- Go to Settings > Export passwords in Authenticator.
- Securely import them into Edge, Bitwarden, Google Password Manager, or iCloud Keychain.
Set New Autofill Provider:
- On iOS: Settings > Passwords > Autofill > Choose Provider (Edge or Other).
- On Android: Use system autofill service settings.
Avoid Data Loss:
- Export before August 1, 2025 — saved credentials will be irreversibly deleted afterward.
- Manually re-enter payment data as it will not be synced.
Secure Exported Files:
- Delete exported password files immediately after importing.
- Avoid saving unencrypted credential backups on cloud storage or shared drives.
- Avoid saving passwords in unsecured formats, such as plain text files or unprotected notes, during transitions.
Prepare for Passkey Adoption:
- Inform and educate users, especially IT teams and mobile device users, about the upcoming deprecation.
- Encourage users to enable passkeys and configure biometric authentication where possible.
- Keep Authenticator enabled if using it as your passkey provider.

Conclusion

The decision to remove password management capabilities from Microsoft Authenticator marks a pivotal shift in how users interact with identity tools across platforms. This transition signals Microsoft's long-term commitment to modern identity protection. While the change enhances long-term security by centralizing credentials and promoting passkeys, the immediate impact may introduce friction for millions of users and organizations.

We encourage organizations to begin migrating credentials now, select a standardized autofill provider, and communicate with end users to minimize disruption before the August 2025 deadline. Acting early ensures continuous access to vital services, enhances account security, and prepares users for safer, passwordless workflows in the future.

References

https://thehackernews.com/2025/07/microsoft-removes-password-management.html

https://www.theverge.com/news/695288/microsoft-authenticator-autofill-store-passwords

https://support.microsoft.com/en-us/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6

https://www.gbnews.com/tech/microsoft-authenticator-delete-passwords