A Microsoft Authenticator flaw is bricking accounts – here’s how to fix it

A design flaw affecting the Microsoft Authenticator is locking users out of their MFA-protected accounts, causing chaos as staff spend hours troubleshooting the issue with IT helpdesks.

Originally reported by CSO Online, the issue occurs when users attempt to add a new account by scanning a QR code, now the most popular way to quickly add an account, but when using this method, the authenticator will overwrite any account with the same username as the new entry.

This stems from the particular way Microsoft has configured its authentication service, which only uses the username to differentiate accounts, unlike Google and similar competing systems which also add the name of the issuer to the account.

This is by no means a new problem. Users have been complaining about the issue in Microsoft support channels as far back as 2020, and it looks like the issue has been persistent since the authenticator was released in 2016.

Last week, Brett Randall, founder and principal consultant at Fractl, took to LinkedIn to complain about the issue, shedding light on the issue once more. 

Randall said he dug into the issue after observing the authenticator overwriting another application’s TOTP key when using the QR code to scan for MFA in a training session with a vendor.

But after reporting the issue to Microsoft, Randall reported being told the bug was ‘by design’, stating that trying to get the company to recognize the problem and do something about it has been “nigh on impossible”.

“Watching a room full of people lose access to other systems as they gradually scanned a QR code and Microsoft Authenticator overwrote their keys to other systems was painful.”

This creates further confusion as organizations often misattribute who is responsible for the problem, and get in touch with the company issuing the authentication, wasting hours with their helpdesk trying to fix an issue that has nothing to do with the firm. 

Microsoft Authenticator issue can be fixed

There are workarounds available, however, as one user posting on Microsoft Learn noted in 2022. The workaround involves manually entering the secret key from the identity provider into the Authenticator app during setup.

But they noted this is not a particularly practical fix when it comes to large enterprises.

“Unfortunately, this is not very helpful in an enterprise environment, especially when the average end user rarely knows anything about the inner workings of Authentication, and seeing a random string of characters is intimidating.”

As multi factor authentication (MFA) becomes the default protection layer on most user accounts, there is increasing reliance on these systems for access to digital systems.

As such, these tools need to be as robust as possible, or risk locking millions of users out of their accounts.

Glenn Chishold, chief product officer at Obsidian, said that because the majority of organizations recognize the importance of using MFA to secure their accounts, vendors need to ensure their solutions are reliable enough to withstand increased pressure on them.

"We know that MFA is crucial in protecting against basic forms of compromise. Even so, we see major breaches using accounts that only have basic authentication enabled (like the breach that affected AT&T's Snowflake instance),” he explained.

“With the vast majority of users choosing to use their mobile device for MFA, it's beholden on vendors to ensure that these technologies are easy to adopt and difficult to circumvent.”

Chisholm added that security professionals should be wary that as users flood IT support channels trying to troubleshoot the issue, they are prime targets for social engineering attacks looking to gain a foothold on the network.

"Unfortunately in this instance, the ‘expected behavior’ of the Microsoft authenticator app can cause overwrites of existing accounts. That might mean that enterprises need to help their users re-establish access to their accounts,” he said. 

“Security teams need to be aware that this might also provide an opportunity for attackers to socially engineer helpdesk users, convincing them to grant unauthorized access to users accounts, as we saw in the well-documented MGM breach."