Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Microsoft IT

Design Flaw Has Microsoft Authenticator Overwriting MFA Accounts, Locking Users Out (csoonline.com) 68

snydeq writes: CSO Online's Evan Schuman reports on a design flaw in Microsoft Authenticator that causes it to often overwrite authentication accounts when a user adds a new one via QR scan. "But because of the way the resulting lockout happens, the user is not likely to realize the issue resides with Microsoft Authenticator. Instead, the company issuing the authentication is considered the culprit, resulting in wasted corporate helpdesk hours trying to fix an issue not of that company's making."

Schuman writes: "The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users' apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer -- such as a bank or a car company -- to avoid this issue. Microsoft only uses the username."

The flaw appears to have been in place since Authenticator was released in 2016. Users have complained about this issue in the past to no avail. In its two correspondences with Schuman, Microsoft first laid blame on users, then on issuers. Several IT experts confirmed the flaw, with one saying, "It's possible that this problem occurs more often than anyone realizes because [users] don't realize what the cause is. If you haven't picked an authentication app, why would you pick Microsoft?"

This discussion has been archived. No new comments can be posted.

Design Flaw Has Microsoft Authenticator Overwriting MFA Accounts, Locking Users Out

Comments Filter:
  • by account_deleted ( 4530225 ) on Monday August 05, 2024 @01:52PM (#64682930)
    Comment removed based on user account deletion
  • by Baron_Yam ( 643147 ) on Monday August 05, 2024 @01:55PM (#64682948)

    It's a stupid mistake. It's been there for years. They blame everyone else for the issues it causes.

    Could it BE any more Microsoft?

  • by Red_Chaos1 ( 95148 ) on Monday August 05, 2024 @01:58PM (#64682962)

    "...why would you pick Microsoft?"

    Because you have little choice in some scenarios? If you're using AzureAD/Entra ID, it seems MS has made it very hard to use a different MFA provider. Even when you do, they often still try to find ways to shoehorn MS Authenticator in front of your users, hoping to get them onto it as well, despite your best efforts. Not at all unlike how Windows loves to inform you that various default apps have been reset due to "corruption" as a laughable horseshit way to try to get you to use Edge, etc.

    • Well, I'm using Google Authenticator application for years, since it exists, and at every companies I work (as a consultant) I register the new MS domain account they provide me with the google app, I never used the MS one even if it's often the one described in their doc on "how to" etc..
      • I currently use 1Password as the authenticator app for a clients Microsoft Account based login system - despite literally just having asked me for my 2FA code from that app, Microsoft then still proceed to insist that I should set up Microsoft Authenticator on the account...

        I have used MS Authenticator in the past, and luckily never been hit by this issue, but have moved off it to 1Password over the past few years. The sole reason I chose it before was because it was one of the only free authenticator apps

        • A year or two ago I switched from the 1password paid service to the (free, open-source, with paid support) Bitwarden service which has proven to be superior for my purposes, (including cost savings, but technical also). This is for savings passwords in general.

          A while ago I tried to standardize on using the Authy authenticator app, however it is no longer supported, but I still have accounts setup for both it and Google Authenticator. I'm in a disorganized state which needs to be addressed relatively soon,

    • Re: (Score:3, Funny)

      it seems MS has made it very hard to use a different MFA provider. Even when you do, they often still try to find ways to shoehorn MS Authenticator in front of your users

      We use Microsoft's MFA and have the option to receive a phone call or text message when authenticating rather than using their software. Shouldn't everyone who uses MS MFA have this option?
      • by proctorg76 ( 657774 ) on Monday August 05, 2024 @02:19PM (#64683022) Journal
        absolutely not, now your account security is 100% dependent on every front line CSR in every retail store for whichevber mobile provider you use.
      • Microsoft uses thier own authentication methods for microsoft authenticator app. Support for traditional rotating single use codes for what most users think of when they use authenticator apps is a bolted on unsupported afterthought in microsofts authenticator. This is what everyone is complaining about, the authenticators 3rd party support, not its Microsoft api native authentication (which requires using microsofts single sign on).
    • by unrtst ( 777550 ) on Monday August 05, 2024 @02:59PM (#64683150)

      You can use any TOTP tool, even ones you roll yourself. Here's an example using the command line utility "oathtool":

      seed="your totp seed"
      oathtool -b --totp "$seed"

      Here's one implemented in bash using openssh for the digest calculation: https://github.com/jakwings/to... [github.com]

      Getting the secret key is fairly easy, if you get it during the initial setup. They usually offer a QR code and there's usually a link to setup with an alternate TOTP tool, and that alternate link will generally provide the secret key as-is. You can also extract it from an exported set of keys from Google Authenticator (and others), but that's more than I want to write here :-)

      Long story short: you don't need to use MS's Authenticator, though they certainly try to corral people towards it.

    • by Lehk228 ( 705449 )
      i have never had my default apps reset due to corruption, i think your hard drive or motherboard is toast, bro
    • I use a particular system where I *have* to use Microsoft Authenticator (it's just a corporate system - nothing to do with Azure). It's not a typical "enter the 6 rotating numbers" type auth flow - you do some stuff online, then you get a prompt on your phone, you do some stuff there, then online it lets you in.

      I haven't checked, but I'll bet my lunch that auth flow is baked into some Microsoft products and so not easily replicated by another auth product. Even if it were though, I'd still *have* to use Mic

  • by smooth wombat ( 796938 ) on Monday August 05, 2024 @02:16PM (#64683016) Journal

    Whenever I set up people to authenticate I always told them to use either a phone call or text message because they're both more reliable than the software. This just adds more confirmation for that decision.

    • by CAIMLAS ( 41445 )

      I absolutely hate having to rely on an Authenticator.

      It's about the best way I can think of to lose access to an account accidentally.

    • by organgtool ( 966989 ) on Monday August 05, 2024 @02:40PM (#64683092)
      At the moment, authentication apps provide much better security than SMS and phone calls. Both of those are vulnerable to Stingrays, SIM transfers, and numerous other attacks. Authentication apps also allow you to authenticate from non-phone devices, such as tablets, so that you're not locked out of all your accounts if you lose your phone or drop it in the turlit.
      • by ceoyoyo ( 59147 )

        If it's done properly, not some special bullshit they wrote on their own, you can save your keys and use them to generate a password on anything that can tell time. There are TOTP libraries for pretty much any language you would want, and if your favourite doesn't have one the algorithm is pretty straightforward to implement.

    • by SendBot ( 29932 )

      Good lord, no! The ease of compromising cell phone service to intercept SMS texts makes your advice a hard security no-no.

    • by MeNeXT ( 200840 )

      I don't own a cellphone since the company I work for provides one. This is not an option for personal user. If you must MFA then use an email or a YubiKey.

    • Define reliable. Reliably works when needed to log in? Or reliably keep people out of accounts?

      Authentication apps were created as a response to a very real problem of number / SIM hijacking. Someone can clone your number and get your 2FA accounts without putting any effort into compromising your device. An attack against you authentication app is far more difficult.

      If you want convenience at the expense of security, just remove 2FA all together and then pat yourself on the back for a job well done.

    • Whenever I set up people to authenticate I always told them to use either a phone call or text message because they're both more reliable than the software. This just adds more confirmation for that decision.

      You're intentionally increasing the risk that their accounts can be compromised with a Sim Swap Attack [wikipedia.org]?

      The scam begins with a fraudster gathering personal details about the victim, either by use of phishing emails, by buying them from organised criminals,[3] directly socially engineering the victim, or by retrieval from online data breaches.


      Armed with these details, the fraudster contacts the victim's mobile telephone provider. The fraudster uses social engineering techniques to convince the telephon

    • by dskoll ( 99328 )

      That's really bad advice. Phone calls and text messages can be intercepted or redirected.

  • by account_deleted ( 4530225 ) on Monday August 05, 2024 @02:22PM (#64683032)
    Comment removed based on user account deletion
  • The summary is wrong: The issuer does appear in MS Authenticator, if the QR code is properly implemented. I can see Amazon, Login.Gov, etc. listed.

    I have one site that has the issue (Payrix). All of the other sites I use work and appear fine in Authenticator.

    The Payrix site works in Google Authenticator but simply shows my email address as the login; I assume I'd have the same issue if I added a 2nd site with the same email.

    I agree that Microsoft should make it more difficult to overwrite existing settings,

    • by unrtst ( 777550 )

      I agree that Microsoft should make it more difficult to overwrite existing settings, but these sites have some responsibility to make sure their QR codes work correctly.

      There should be no way to overwrite an existing one unless you formally delete it. That is certainly their responsibility, as that means any rogue QR code could overwrite one as well.

      IMO, they should also make it trivial for the owner of the key to recover and/or backup the secret key, and to modify the key label to ensure none ever overlap. If you attempt to add one with the same name as an existing one, it should, IMO, offer you the chance to name it something else, while also noting you could go back to

  • It seems like everyone's design has similar flaws. Why do we restrict how many second factors? I would love to completely blacklist email and SMS authentication for everything as an option. But to do that, I need more than one authenticator app and a few backup codes. I have a couple USB/NFC authenticator keys, I have devices with biometric login that can act as their own passkey. Picking one is a bad plan all around.

    TOTP is nice and universal, but it's a last resort just above backup codes. I'd rather

    • by ceoyoyo ( 59147 )

      The requirement to type something in is just a choice by whoever wrote the app you're using. TOTP requires your key and the current time. You don't type either of those in.

      • True - but again, they don't need to all share one. Invalidating one shouldn't have to invalidate them all. And I don't know of any software that keeps the TOTP info ready for browser autofill but protected by a physical second factor. Passkeys and security keys will eliminate the typing for the devices that support it.

        • TOTP is the only one that doesn't let the other party restrict what kind of device I use.

          • That's not true. U2F and Passkeys are both hardware agnostic standards that just rely on the browser to select what options are supported and implement a standard protocol. It's still held back by another party, but not the vendor.

            • by Lightn ( 6014 )

              Passkey has an attestation feature, so that you can require a passkey comes from a known vendor. I've see the option to require it in cloud security configuration. https://developers.yubico.com/... [yubico.com]

            • Passkeys are FIDO auth, that means they're subject to the FIDO authentication levels certification. https://fidoalliance.org/certi... [fidoalliance.org]
              The remote party then needs to keep an up to date FIDO metadata Statement https://fidoalliance.org/metad... [fidoalliance.org] which enumerates which devices are allowed.

              I have been burned by this already: I cannot use my hw key (Nitrokey) to access my state's e-government, because L1 certification is required, and hard to do for an OSS token.

        • by ceoyoyo ( 59147 )

          Oh, absolutely. Someone doesn't understand what a primary key is. That's depressingly common. When the primary key is composite even more heads explode.

          I was referring to this:

          TOTP is nice and universal, but it's a last resort just above backup codes. I'd rather have whatever device I have with me in the moment handle that for me without typing and without looking anything up.

          TOTP shouldn't be a last resort. It can easily do exactly what you want. One of the reasons why it doesn't are that various companies

  • by silentbozo ( 542534 ) on Monday August 05, 2024 @02:51PM (#64683134) Journal

    I want to point out that while Microsoft deserves a fail whale for this... it does point out an important issue.

    Anyone who is relying on a single app to reliably store their token secret, and doesn't have a backup way of authenticating, is one bad release (or stolen phone - if the token secret isn't backed up somewhere) away from ending up in the same situation.

    • ... backup way of authenticating ...

      Well it's security, so the data should be backed-up and accessible to another applet. "Aegis" applet (Android) supports importing most backup/export files. Also many authenticator applets can display plain-text/QR-code of the secret, allowing it to be copied to a phone/tablet/laptop. Yes, it's a lot of work, but if one doesn't make a 'spare key', one deserves the misery resulting from the phone being stolen/reset/damaged by an update (See: CrowdStrike).

  • by Anonymous Coward

    This happened to me. I over-wrote a not-very-important account. Learned my lesson the easiest way possible.

    Microsoft Authenticator has a backup/restore feature but doesn't seem to restore everything you need for all accounts (at least when you restore on a different device).

    I forgot my iOS password for a few minutes today, brain fart. This is very unusual for me, I was shitting a brick over MFA for a few minutes.

  • A design flaw would indicate the software needs to be rearchitected.

    They need to adjust their key constraints and probably modify a getter/setter.

    That's a bug.

  • Lennart will fix it by pulling it into the Windows systemd equivalent.

  • Looking at my Microsoft Authenticator app right now, I see dozens of accounts based on the same email address, and not a single account that has an empty provider. I have page after page of accounts in here, and would love for better organization, but I'm yet to encounter a QR enrollment scheme that has an empty provider field, and if the article is to be believed, I would have to run into that TWICE before there would be a collision. I kind of agree with Microsoft here. If the QR doesn't have a provider
  • ... Microsoft only uses the username.

    It shouldn't take long to realize that when a new secret is loaded into MS authenticator, the old one stops working. Why wasn't this reported years earlier?

    Why does such an incompetent piece of software have a "4.6" usability-rating? Hell, a security app requiring network access should be worrying enough to downgrade its usability. Do MS consumers really have such a low opinion of their own online-safety? If you ever want proof that mega-corporations are corrupting the rating system, this is it.

    • It's a Microsoft app - people have been conditioned over _decades_ to have things inexplicably suddenly stop working. That is normal computer behaviour to them. Why would they report it?

  • by gweihir ( 88907 ) on Monday August 05, 2024 @07:10PM (#64683822)

    Exactly what I expect from Microsoft in the scurity-space: Barely functional crap.

  • Let me guess, they wrote this code in javascript. Oh wait no, must be visual basic.

  • If Microsoft built the Titanic, after it sank, then the Olympic would have sunk. While issuing a press release its going to make its crew "iceberg focused."

    JoshK.

    • All the captain had to do was swipe up like trying to wake from a lock screen with a mouse. As if it was an aborted GUI paradigm from an interface that was abandoned twice over, two whole operating systems ago. Oh wait we're all dead already
      • Quite...and indeed. And the captain was not using a feature (lookouts with binoculars) so was running blind, and overclocked could not reboot after the crash. By the time they agreed upon the problem, they were on the ocean floor...dead already. :)

        Later the archaic paradigm was continued in Windows 11, also called the Andrea Doria...because the interface was the same archaic one and the distance feature was omitted as a new feature.

        JoshK.

  • Who gets to pick? I have at least four authenticator apps on my phone right now because everybody seems to want something different than what I've already got

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...