“I believe the fix, sorry, I mean workaround for this is to use the Secret Key from the Identity Provider and manually type this into the Authenticator app during setup,” the user wrote. “Unfortunately, this is not very helpful in an enterprise environment, especially when the average end user rarely knows anything about the inner workings of authentication, and seeing a random string of characters is intimidating.”

‘A big problem with usability and cybersecurity’

This problem got attention recently when Australian IT consultant Brett Randall posted about it on LinkedIn. 

In his post, Randall described participating in a recent vendor training session: “As we logged into their system, we were presented with a QR code to scan for MFA. A number of attendees opened Microsoft Authenticator, scanned the QR code, and proceeded to overwrite another application’s TOTP (Time-based One-Time Password) key,” Randall wrote.