Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out

With use of multi-factor authentication rising, end-users can find themselves fiddling with codes and authentication apps frequently throughout their days. For those who rely on Microsoft Authenticator, the experience can go beyond momentary frustration to full-blown panic as they become locked out of their accounts.

That’s because, due to an issue involving which fields it uses, Microsoft Authenticator often overwrites accounts when a user adds a new account via QR scan — the most common method of doing so.

But because of the way the resulting lockout happens, the user is not likely to realize the issue resides with Microsoft Authenticator. Instead, the company issuing the authentication is considered the culprit, resulting in wasted corporate helpdesk hours trying to fix an issue not of that company’s making.

The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users’ apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer — such as a bank or a car company — to avoid this issue. Microsoft only uses the username.

Making this situation worse is that when a Microsoft overwrite happens, it’s not easy to determine which account is being overwritten. This can cause authentication issues with both the newly created account and the account that is overwritten. Moreover, users can potentially not realize a previously created account was annihilated until they attempt to use it again, whether that’s weeks or months later.

There are multiple workarounds. The easiest is for companies to use any other authentication app. Not using the QR code scan feature — and manually entering the code — will also sidestep the issue, which doesn’t appear to arise when the authenticated accounts belong to Microsoft.