Transcript
A wafrn woot (post) by @[email protected] saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
https://mysignins.microsoft.com/security-info
Obviously it’s very fashionable to bang two saucepans together while chanting “microsoft baaaaad”, but for anyone interested in actually learning about how this stuff works: Authenticator will never use ‘itself’ to authenticate, but you can use a second, seperate instance of Authenticator on another device to authenticate which is what is happening here. If you use Entra (or whatever it’s called this week), go to that URL to see which MFA methods Microsoft thinks you have and if, say, there’s a copy of Authenticator on a phone you no longer own, or an outdated phone number, or whatever, you can delete it.
Nothing in the UX here conveys that you should open a second Authenticator on a second device. And what if you aren’t logged into the second Authenticator? Is a third one needed on a third device? And if you aren’t logged into the third?
The original TOTP phone apps don’t require their own login. The protection is provided by the mobile OS.
Microsoft is making this complex it’s not usable.
MS Authenticator also uses the phone’s built-in security and can also be used for plain TOTP without sign-in if you want. If you aren’t signed in on a separate instance it won’t offer Authenticator as an option. I think a reasonable person would have realised that based on my answer or, if you were really interested in finding out, from the documentation but I guess you bought those saucepans so you might as well use them. I suppose you’re right in a sense; if Microsoft really wanted to make the UX idiot-proof they’d have a link that says something like “I can’t use my Microsoft Authenticator app right now.”
Out of interest, what happens if you lock yourself out of the completely free, open source and self-hosted app that has your TOTP codes? What recource would you have that isn’t also true for MS Authenticator, or Google Authenticator, or any of the other ones?
For work apps, you can “contact an admin” if you can’t access TOTP. Some other services also have account recovery options if you lose that access.
In other cases, I think you are screwed because you opted into requiring a second factor then lost it.
or request/get a keyfob for the 2nd authentication?
had to do that shit at my last job. and although tedious, it was better than installing an MS app on my phone