The problem with Microsoft Authenticator

Written By Brett Randall

Microsoft Authenticator is a great product. It was one of the first to use randomly generated numbers as an added layer of protection for push approvals. It backs up to iCloud from iPhones and allows restores. And it makes adding protection to Microsoft accounts a breeze.

But it has a major flaw, and Microsoft have refused to do anything about it.

As an Authenticator app, it allows not just Microsoft accounts with their own proprietary push notifications, but also standard Time-based One-Time Passwords (TOTPs) which are used by virtually every MFA-capable product on the planet. This makes Microsoft Authenticator a ubiquitous tool for easily providing a second layer of authentication to most apps from your smartphone.

Yet, with the accidental acknowledgement of an ambiguous prompt on your screen after scanning a QR code, you can overwrite the TOTP registration for a legitimate app, effectively locking you out.

If you want to see it in action, scan these two QR codes into any other authenticator app (e.g. Google, Okta, Authy, etc). See how they show up as two separate keys?

Next, scan them into Microsoft Authenticator. See how it offers to overwrite the first one when you scan the second? And notice how ambiguous the prompt is? It doesn’t tell you which account it is overwriting. It tells you the email address of the account that will be overwritten, but not the account.

Now, this doesn't happen for all overlapping accounts. It relies on a specific set of circumstances, yet we've come across these circumstances frequently. To explain, behind that QR code is an "otpauth" URI. This is a string containing the issuer, the secret key, and the label.

Every other authenticator app out there take two of these values (the "label" and the "issuer") and uses them to form the unique record for that key. Microsoft, though, just takes one value – the label. And that's often just your email address. Which means, Microsoft Authenticator will overwrite the last TOTP key that used the same email address.

If the provider that generated the label in the QR code went out of their way to make the label 100% unique (for example, making the label "MyProvider:[email protected]" rather than just "[email protected]"), then Microsoft Authenticator wouldn't suffer from a collision, and no overwriting would occur. But there is no standard to say providers MUST do this. Some big providers, like Box.com, Squarespace, and Cato Networks, just use email addresses in their labels. Every other authenticator app out there is fine with this. Microsoft, though, is not.

And this can be disastrous.

Best case, it results in hours lost trying to get access to that system again. Worst case, you've lost access to something forever.

We've reached out to Microsoft through multiple channels. They've admitted that this issue exists. They claim it's by design. And maybe it is.

But no other app has this problem. Which is why we've started advising against the use of Microsoft Authenticator for non-Microsoft TOTP keys. Nobody needs that in their lives.

Brett Randall
Next

Firewalls are no panacea for cybersecurity