Summarize

Simplifying... Inshort

Microsoft Authenticator has a design flaw that overwrites accounts with the same username, causing users to lose access.
This issue, present since the app's launch in 2016, recently gained attention when IT consultant Brett Randall highlighted it.
Microsoft acknowledged the problem but labeled it as a feature, stating that users receive a prompt before any account changes occur.

Was a long read? Making it simpler...

Next Article

Microsoft claims it is a feature not a bug

Microsoft Authenticator flaw is locking users out of MFA accounts

By Dwaipayan Roy

Aug 06, 2024

05:37 pm

What's the story

A design flaw in Microsoft's Authenticator is causing users to lose access to their multi-factor authentication (MFA) accounts. The issue arises when a user adds a new account via QR scan, the most common method of doing so, and Microsoft Authenticator overwrites existing accounts. This problem is often misattributed to the company issuing the authentication, leading to wasted corporate helpdesk hours trying to fix an issue not of that firm's making.

Issue explanation

The root of the problem

The root of the problem lies in Microsoft Authenticator overwriting an account with the same username. Unlike other authenticator apps like Google Authenticator, which add the name of the issuer to avoid this issue, Microsoft solely uses the username. This can cause confusion as it's not easy to determine which account is being overwritten, potentially leading to authentication issues with both newly created and overwritten accounts.

Public awareness

Long-standing issue gains attention

Complaints about this problem have been found dating back to 2020, but appears to have been in place since Microsoft Authenticator was released in June 2016. The issue recently gained attention when Australian IT consultant Brett Randall posted about it on LinkedIn. He described how attendees at a vendor training session lost access to other systems when they scanned a QR code and Microsoft Authenticator overwrote their keys.

Expert opinions

Industry experts weigh in

Gary Longsine, CTO at IllumineX, described this as a design flaw and stated that he would not recommend using Microsoft Authenticator due to this issue. Tim Erlin, VP of product at Wallarm, echoed these sentiments and speculated that this problem occurs more often than anyone realizes, because users don't understand what the cause is. David Meltzer, chief product officer at Netography, confirmed that he could re-create the problem and found it disconcerting.

Company stance

Microsoft's response to design flaw

In response to these concerns, Microsoft confirmed the issue but claimed it was a feature, not a bug, and blamed users or companies that use the app for authentication. They issued a statement saying, "When users scan a QR code, they will receive a message prompt that asks for confirmation before proceeding with any action that might overwrite their account settings. This ensures that users are fully aware of the changes they are making."