Flaw has Microsoft Authenticator overwriting MFA accounts, locking users out

"This is a small example of a big problem with usability and cybersecurity. This is what happens when apps are developed by engineers who don’t have a strong knowledge of customers"

This really rings true. Just think of all the nonsense you have to deal with in the name of "security." Mandatory password change intervals. Insane rules for constructing passwords. Completely undocumented password requirements that you just have to figure out by trial and error. Complicated error messages full of security jargon. "Secret Questions" that you can't remember the answers to. And on the other side of the coin, the security of these systems themselves is like a sieve. So many data breaches, information disclosures, they are in the news almost daily. I often wonder how they get away with it all.

This boggles my brain on so many levels - are you telling me Microsoft Authenticator only stores the entry based on label? It doesn't generate an internal key or anything? And then they claim that the issue is websites not putting the issuer in the label, but in the issuer field, where it belongs?

Is no-one at Microsoft actually using their own Authenticator? Unless I'm missing something, this would make it nearly unusable for almost all applications - as soon as you've used your email for one site you wouldn't be able to add it for any others?

Odd, I just received this email from MS that looks a lot like phishing but seems not to be?

> Action required: Enable multifactor authentication for your tenant by 15 October 2024

> You’re receiving this email because you’re a global administrator for [Literally a UUID here, no organization name or anything] Starting 15 October 2024, we will require users to use multifactor authentication (MFA) to sign into the Azure portal, Microsoft Entra admin center, and Intune admin center. To ensure your users maintain access, you’ll need to enable MFA by 15 October 2024.

> If you can’t enable MFA for your users by that date, you’ll need to apply to postpone the enforcement date. If you don’t, your users will be required to set up MFA.

> Action required

> To identify which users are signing into Azure with and without MFA, refer to our documentation. > To ensure your users can access the Azure portal, Microsoft Entra admin center, and Intune admin center, enable MFA for your users by 15 October 2024. > If you can’t enable MFA by 15 October 2024, apply to postpone the enforcement date.

The thing is, I'm not administrating any organization with Microsoft.

I have a private office365 family account or whatever it's called, and I have 2FA set up for my account, I have no idea what they are on about, especially because the email doesn't contain even my name or the name of the supposed organization, just some ID.

It's definitely an Email from Microsoft though.

I lost a few GMail accounts because I changed countries and computers since I created them. I tried logging in, Google said my password was correct, but both the device and the IP were unfamiliar. I don't recall exactly what was wrong with using the recovery address to recover from the problem, but that didn't work, despite my still having access to my recovery email address. I think I might need to be able to tell Google what my recovery email address is, and I may have used one of those randomized + suffixes to my recovery address.

I used to use Google Authenticator with my GMail accounts, but disabled that out of fears it's just one more thing to go wrong, with Google providing little recourse.

My password is a bit over 96 bits of entropy, generated by extracting 256 bits from /dev/urandom as a multi-precision integer, divmod'ing to extract one instance from each of the character classes (digit, lower, uppper, symbol) and then the rest from the combined alphabet (digit + lower + upper + symbol), and finally the leftover entropy used for Fisher-Yates shuffle of the password so the first digit isn't always a digit, etc. Passwords are per-site, stored using a gpg-based password manager I wrote in the early 2000s.

MFA would still help for some types of ongoing active compromise, but not for dumps of password hashes from a DB compromise. It really kills me that recovery from my recovery email address doesn't work, even though I know my password.

Honestly, if you haven't logged in from anywhere in a few months and you have the correct password, they should at least just send some verification link/code to your recovery address without requiring you to tell them your recovery address. Sure, maybe don't say where you're sending the recovery link, but turning the recovery address into another password you need to memorize without ever telling you it's some weird combination of recovery email address and recovery password is just highly annoying.

I've been using Microsoft's one for my work accounts because, well, we're elbow deep into Office365 so why not.

I've never gotten that dialog, and have not had any issues with the accounts I've added. Since they're my work accounts, 99% of them share my work email as account name.

So does that mean I've just been lucky, in that the sites I've signed with have provided a sufficiently unique label? I feel I didn't fully get what the issue is.

Safari had a similar bug where it would just overwrite your passkey with no warning whatsoever -- completely locking you out of your account. It has since then be fixed but this caused me to lose access to my GitHub

https://bugs.webkit.org/show_bug.cgi?id=270553

Safari still has some bugs where it can't discern between websites hosted on different Subdomains except for hardcoded exceptions and it will override password of one subdomain with the other. Happens to me on a monthly basis.

Incidentally, this is why SMS MFA is so popular with users despite its security vulnerabilities.

Generally, unless you are targeted by someone with a sim swap, it is good enough. Most people won't be targeted, but do have a good chance of something going wrong that makes them lose their MFA key.

I've just made a test: multiple accounts using the same account/email and there is no conflict.

I even have a matching icon of the issuer for each entry; the issuer is registered for each entry.

I am using the MS Authenticator for years and I've never had any problem of that sort, and of course, I am always using the same email as my account/username.

Anyway, I'm just putting the result of my test. It's not like this going to change your mind about the authenticator or Microsoft itself here...

This happened to me when I updated MS Authenticator after not updating it for a while. It wiped out all data, and I got locked out of all accounts. MS Authenticator is not a carefully written product.

Something similar happened to me about a year ago when the Google Authenticator app automatically updated to a new version. I lost all my accounts in the update process. Definitely learned a few lessons there.

"it was the fault of users or companies that use the app for authentication" MS said.

Spot on right. They should have been more prudent in selecting services. Absolutely right, users' and clients' fault it is!

You see a smug bastard company that hurts the client they live on because they provide faulty service, they hurt repeatedly, in thick queue throughout time, for long time, fault after fault after fault and just release the smear the responsibility elsewhere department on the clients complaining, whatever the official title of this department is, PR or whatever, while the issues are reported in news everywhere, publicised, then who would you blame? The company, or the clients still choosing the company against common sense and own experience?

The case touches me because I am approaching a job where I would not use Windows anymore, I am tired of the Windows ecosystem. It only makes life differently complicated, or many times more complicated, more difficult to do my job than without it. I have not enough time listing how many things they made much worse in the past decade or more that my every day is a swimm through the flow of piss MS releases day after day at all of us. They were better in some short period long ago, only partially still, after some very bad historic period, now they are determined that with hard work they will f up all what is left.

I have a friend working on the MS Teams. He is very busy, working hard, they will release some sort of AR meet feature, packed with complex and revolutionary (i.e. experimental) approaches so you could enjoy solutions that probably will work ok and not annoy you with visual artefacts and problems not eliminated before release, with the headset you require for it, probably will not be forced on you but likely annoy the hell out of you by the pop up promotions when you try to do your urgent job after a critical update. Who the f needs that? While the Teams is a mess to work with already with lots of noise and half cooked bloated whatevers already being a distaction, not helpful, not at all. Probably only the call quality is the only good in it by now, but that was purchased from elsewhere, that was given to them. They are so good making things too complicated and being unable making it well because it is too complicated to do well, too expensive, so let's just release a half cooked one and leave it there for decades (like the dialogs in Windows) and put the blame on elsewhere by the put the blame on elsewhere department put together precisely for this.

some security products seem like they are designed to discredit security as a field. imo the market is just at the point of backlash against the decadent stupidity in that cost centre. if you are going to humiliate people by making them jump through hoops 10x a day with context switching 2FA tokens and make serious people with educations and responsibilities use words like "smishing," you better be sure that hoop is the finest example of engineering anywhere. the solution has become the problem. I'm calling the peak.

Are we again in a Microsoft 2000 phase? It seems like everything Microsoft is broken these days.

GitHub barely works after the acquisition. Azure is a joke. Teams is the bane of my existance. Outlook is the second one.

Do they need to ask harder leetcoding problems during the interviews?

It also tracks your position all the time. That is the bigger problem to me. https://reports.exodus-privacy.eu.org/de/reports/com.azure.a...

When asked to set up TOTP, the first thing I do is scan the QR code with a QR code reader, and save the secret into my password manager, before adding it to my authenticator app.

One of the things I really like about the file system is that it's a sort of universal API: if you can get the files a program has written, then you can do all sorts of stuff, like version control them, back them up (and restore them!), sync them across machines, and develop interoperable tools. This is particularly useful with an application that provides TOTP codes.

But modern mobile apps have an architecture that makes reading directly from the filesystem the exception, rather than the rule, which leads to apps directly managing all their data in their own database, rather than in a shared filesystem. This removes a lot of user agency, and opens the door to tough-to-remediate bugs, like a new version of the app corrupting or erasing old data.

> Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users’ apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer — such as a bank or a car company — to avoid this issue. Microsoft only uses the username.

I feel like mobile took a step backward when it made the filesystem a second-class citizen, despite some of the security improvements mobile brought with app sandboxing. Restoring from a backup would have fully remediated this issue, at least once folks understood what was causing it.

Even for Microsoft accounts, use an alternative app for 2FA/MFA. Recently I switched to the open source Aegis, which allows encrypted backups and does not have the issue described.

A similar thing has happened with Twitter. After the Musk takeover and the removal of SMS for auth something has changed they keys of the 2FA authenticator. My old keys don't work and my "ticket" has been waiting on Twitter support (which were probably all fired) for resolution.

I have many accounts with the same user names, and they don't get overwritten. There might be some design flaw somewhere, but it's surely not what the article states, ie. that you cannot have the same username on different sites.

And keepass keeps complete history since the file was created. Someone was really sloppy in Microsoft in the design phase.

Has anyone else noticed it's not possible to have an account that you can log in anymore? Locked out by AI, locked out by suspicious activity, locked out due to lost phone, lost authy, broken everything. You drive an RV? locked out due to location change. You have a common name? Locked out. Have a foreign name? Locked out.

Yes, when you add one more device between you and your data you are now dependent on it functioning correctly.

Today it's a MS fuckup, but any such system could malfunction.

I have been recommending for years that people have a DIFFERENT email alias for evey service

Email aliases look like yourname+somealias@gmail.com

This also helps avoid social engineering attacks when people call into your provider:

https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

This is not a software engineer issue, it is a product manager issue, whom relentlessly ignored users' complaints.

How has MS not fixed this. It seems like the kind of bug that shouldn’t ever happen in the first place (it’s such an obvious flaw) but now that they are aware, it should be priority #1 to fix.

What's also annoying is that some MFA providers like Microsoft Authenticator and Authy lock you into their platforms, no export or offline backups features, at least without a rooted phone.

Well damn. I've used Microsoft Authenticator for years and just happened to have never used the QR code feature. Is there an easy way to migrate all the data into Google Authenticator?

A whole different type of "too big to fail", and a great demonstration of why putting the keys to your kingdom in Microsoft's/Google's/Apple's hands is a stupid idea.

using microsoft authenticator I just ran into this recently and searched to find it's a known issue that microsoft has no announced plan of fixing. Strange to see it pop up here separately, I guess it's becoming more common. I knew to cancel the dialogue and manually add the account without the QR code to workaround it but I'm sure plenty of people will have their accounts locked because of this

wait a second, what? If I use the same email for another account, I could get randomly locked out from some other account.

I just checked my app., there are 2 different emails for 2 entries, other entries are provider specific.

Is there a good way to migrate from MS Authenticator and what options do I have?

One of the entries without the Issuer correctly set is Outlook.com itself. WTF!

When I tried to sign up for Hotmail account, the challenging step I have to solve isn't friendly for my impaired eyesight.

ymmv, but I've never had this issue.

"Microsoft is the Boeing of software."

Seems like an apt description. :)

KeePass, peeps

> leaving IT experts wondering, ‘Why would you pick Microsoft?’

Well I can tell you why people pick MS Authenticator - it's because microsoft basically forces it on you, uses dark patterns to avoid letting you use any other standard OTP app and doesn't give admins the tools to disable it.

As an admin, I can disable every single MFA method individually, including TOTP, but Microsoft Authenticator is force-enabled. When users go to enable TOTP (or are forced to), the option is called "Microsoft Authenticator", not something more generic. The QR code they get is not a standard TOTP one, so any other client will reject it. There's a small link below it letting you "use another app" which finally gives you a real TOTP QR code. This is INSANE!

I don’t see what the issue is. People could plan ahead and just write the six digit code in a notebook as a backup.

/s

One of this reason, I can think of having Passkey can be a better advantage over relying on centralised account management?