A fundamental flaw in Microsoft Authenticator is wreaking havoc on organizations that rely on multi-factor authentication (MFA) to secure their systems. The problem arises when users attempt to add new accounts via QR code, which has become the default for many.
Instead of simply adding the new account, Microsoft Authenticator overwrites any existing accounts with the same username. This issue is locking users out of their accounts creating significant operational disruptions as IT departments scramble to identify and resolve the root cause.
This issue has persisted since the app’s launch in 2016, with users repeatedly raising concerns in Microsoft’s support channels. Despite this, Microsoft has continually treated the problem as an intended feature rather than a defect, leaving organizations and their IT teams to manage the disruptions. The ongoing challenges in addressing this problem are sparking serious concerns about the dependability of critical security tools in high-pressure environments.
Why It Matters: As MFA becomes a standard security measure across organizations, the reliability and robustness of authentication tools like Microsoft Authenticator are critical. This flaw disrupts operations and exposes organizations to potential security risks, particularly as support teams deal with the fallout. The persistence of this issue underscores the importance of addressing user feedback and ensuring that security tools are both user-friendly and reliable.
- Design Flaw in Microsoft Authenticator: When adding new accounts via QR code, Microsoft Authenticator overwrites existing accounts with the same username, leading to widespread lockouts and operational disruptions. Despite being reported by users for years, Microsoft has not resolved the issue. The company insists the behavior is ‘by design,’ leaving many organizations frustrated and without a clear solution.
- Recent Attention to the Issue: The flaw was recently highlighted by Brett Randall, a cybersecurity expert, who encountered the problem during a training session, bringing renewed attention to the persistent issue.
- Impact on IT Departments: IT helpdesks spend significant time troubleshooting and restoring access, often misattributing the problem to other systems. This not only wastes resources but also delays critical operations.
- Security Implications: The confusion and disruption caused by this flaw increase the risk of social engineering attacks, as users and support teams may be more vulnerable during the troubleshooting process.
Go Deeper -> A Microsoft Authenticator flaw is bricking accounts – here’s how to fix it – ITPro