Microsoft Authenticator has a serious design flaw, one that is overwriting people’s accounts and leaving them with little recourse.

Microsoft Authenticator is the company’s multi-factor authentication (MFA) app, used by countless individuals and organziations. Unfortunately, it has a serious design flaw that leads to saved account information being wiped out.

According to CSO, when users add a new account using a QR scan, Authenticator will overwrite previous accounts that use the same username as the account being added. Unfortunately, this is a common issue. Many individuals use their email address or a common username across platforms. To make matters worse, a QR scan is the most common way to add a new account to Authenticator. As a result, it’s not a matter of if, but when, Authenticator users will find themselves locked out of important accounts.

Unfortunately, this is an issue that has been reported to Microsoft for years, but the company is inexplicably doing nothing to fix it.

CSO says it spoke with several security experts to understand the scope of the problem, and it was not encouraging.

“Users will be locked out and will need to get back in. Once you add one entry that is using the email address, the second entry will conflict,” said Tim Erlin, VP of product at Wallarm. “And once you have overwritten, you won’t know which one was overwritten.

“It’s possible that this problem occurs more often than anyone realizes because [users] don’t realize what the cause is,” he added. “If you haven’t picked an authentication app, why would you pick Microsoft?”

“I tried this to experience it myself,” said David Meltzer, chief product officer at Netography, after recreating the bug. “It is clearly a bug. It is a fairly straightforward thing [for Microsoft] to fix. Every other authenticator can handle it.”

Microsoft’s Response

In statements to CSO, Microsoft blamed users, saying the software was working as intended.

“We can confirm that our authenticator app is functioning as intended. When users scan a QR code, they will receive a message prompt that asks for confirmation before proceeding with any action that might overwrite their account settings. This ensures that users are fully aware of the changes they are making.”

Unfortunately, this statement is somewhat misleading. As CSO points out, the message that Authenticator displays is not nearly as clear as Microsoft would have one believe.

“This action will overwrite existing security information for your account. To prevent being locked out of your account, continue only if you initiated this action from a trusted source.”

As CSO points out, this message is problematic for multiple reasons.

• As Erlin points out above, the app doesn’t clarify which account will be wiped out, leaving users to find out the hard way.
• The dialog describes the user initiating the action, and the action coming from a trusted source, as the criteria for continuing, meaning most users will then proceed.
• It offers no way of avoiding the overwrite, except to cancel the process.

Interestingly, Microsoft reached back out to CSO to provide a new statement, this time blaming vendors.

“When you scan a QR code, the Authenticator app uses a label given by the vendor to set up your Time-based One-Time Password (TOTP) account. However, some sites or vendors don’t include the issuer — the site name or Identity provider name — in the label. This may result in a situation where a user may already have an account with the same label and the app attempts to overwrite the existing TOTP account with the new one they are scanning. In situations where a user has an existing account with the same label, users are always presented with a message prompt to confirm overwriting an existing TOTP account in their app and can make a conscious choice to proceed or not. We are always working on enhancing our products and will take this into consideration and apply it to future improvements.”

Of course, no other major authenticator app struggles with this issue, meaning that there is a fundamental design choice of Microsoft’s that has created this situation.

Australian IT consultant Brett Randall told the outlet that there are few options to fix the issue, short of Microsoft fixing it correctly.

“It seems there are two options here to avoid end users accidentally overwriting other apps’ keys,” Randall told CSO. “We audit every application’s otpauth and go through the hassle of trying to convince every company doing it ‘wrong’ to fix it. Or Microsoft fixes this once and then we never have to worry about it again.”

In the meantime, organizations and individuals would do well to use pretty much any other authenticator, aside from Microsoft Authenticator.