Serious Design Flaw in Microsoft Authenticator Exposed: User Data Overwritten During Account Addition by Scanning

Has this issue finally caught attention again?

Today, CSO Online, a tech site primarily for enterprise IT administrators, reported a severe design flaw in Microsoft Authenticator. When users attempt to bind 2FA or MFA (Multi-Factor Authentication) by scanning, there's a potential for data overwrite. This means the 2FA data for existing accounts can be overwritten by new data, preventing login to the original accounts.

This problem has existed for many years, a classic design flaw that Microsoft has yet to fully address. Especially with the growing popularity of 2FA/MFA, as more businesses require employees to bind multi-factor authentication, the likelihood of encountering this issue has increased.

Cause of the Issue:

Typically, we use a single email to register accounts on various websites. When scanning to add a 2FA account, Microsoft does not check for the existence of an account with the same name, opting instead to overwrite it.

For example, after binding 2FA to the account [email protected], if we continue to use this email for other website registrations and bind 2FA by scanning, the 2FA data for the new account will replace the original account's data.

Users won't notice any difference since the 2FA verification codes refresh every 30 seconds. Only when repeatedly entering the code incorrectly during login does one realize there's an issue.

This presents a significant challenge for enterprise IT administrators, who often spend time assisting other employees with this issue. However, using Microsoft Authenticator to bind Microsoft accounts, or using Google Authenticator, does not result in the same problem.

A Persistent Issue Since Microsoft Authenticator's Launch:

Although the data overwrite issue has been reported several times, Microsoft has yet to resolve it. This problem has existed since the launch of Microsoft Authenticator in 2016, eight years ago.

For users who must use Microsoft Authenticator, there is a workaround: enter the TOTP binding code manually instead of scanning. When manually entering the binding code, you can add accounts without the automatic overwrite issue.

However, this manual TOTP binding code solution is not suitable for enterprise users. Thus, aside from switching to another authenticator, there is no good solution for enterprise users at the moment.