Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out
- by nlqip
“I believe the fix, sorry, I mean workaround for this is to use the Secret Key from the Identity Provider and manually type this into the Authenticator app during setup,” the user wrote. “Unfortunately, this is not very helpful in an enterprise environment, especially when the average end user rarely knows anything about the inner workings of authentication, and seeing a random string of characters is intimidating.”
‘A big problem with usability and cybersecurity’
This problem got attention recently when Australian IT consultant Brett Randall posted about it on LinkedIn.
In his post, Randall described participating in a recent vendor training session: “As we logged into their system, we were presented with a QR code to scan for MFA. A number of attendees opened Microsoft Authenticator, scanned the QR code, and proceeded to overwrite another application’s TOTP (Time-based One-Time Password) key,” Randall wrote.
Source link
lol
“I believe the fix, sorry, I mean workaround for this is to use the Secret Key from the Identity Provider and manually type this into the Authenticator app during setup,” the user wrote. “Unfortunately, this is not very helpful in an enterprise environment, especially when the average end user rarely knows anything about the inner…
Recent Posts
- A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
- CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- Xerox To Buy Lexmark For $1.5B In Blockbuster Print Deal
- Vulnerability Summary for the Week of December 16, 2024 | CISA
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict