I’m posting this because I’ve just had one of the most baffling and frankly unacceptable experiences I’ve ever had with an identity system. What happened here should not be possible in a modern authentication platform, let alone one run by Microsoft.
This is a fairly full account of what went wrong, why it’s dangerous, and why I’m genuinely shocked this system shipped in this state.
The only positive note: Copilot was trying to guide me through. We kept failing at every single step. I can't imagine how much worse this would have been without it. .(I'd probably have given up an hour ago and got on with my life)
1. Passwordless mode trapped my account in a broken state
My Microsoft account was passwordless. Windows Hello was unreliable. Passkey creation failed. YubiKey registration failed. That left Microsoft Authenticator push notifications as the only strong method.
Because of this, I could not remove the push method — even though it was the source of repeated MFA‑fatigue attacks.
A security system should never put a user into a state where they cannot remove an abused factor.
When I clicked “Remove” on Send sign‑in notification, the UI attempted to remove the entire Authenticator registration instead of just the push method.
Then it failed.
This is misleading, dangerous, and contradicts Microsoft’s own documentation.
3. Passkey creation repeatedly failed with a generic error
Every attempt to create a passkey resulted in:
“We couldn’t create a passkey. Please try again.”
No explanation. No remediation. No fallback.
This is a security‑critical flow — it should never fail silently.
I plugged in a known‑good YubiKey and got:
“Something went wrong.”
Again: no reason, no guidance, no logs.
5. The documented fallback URL for FIDO2 registration now redirects to the same broken UI
account.live.com/proofs/manage/additional used to be the workaround.
Now it redirects to the same modern UI that was already failing.
This removes the only escape hatch Microsoft previously recommended.
6. TOTP “last used” date is wrong and never updates
Despite using TOTP many times, the UI still claims:
“Not used since 2024.”
This is a known backend bug.
It misleads users into thinking their TOTP method is stale or non‑functional.
In a security dashboard, inaccurate metadata is not cosmetic — it’s a trust issue.
7. GitHub sign‑in forced me into a broken passkey setup
After signing in with GitHub, Microsoft immediately forced me into a passkey setup flow that was already broken.
This is coercive UX and creates a dead‑end for users whose hardware or configuration is incompatible.
8. No PowerShell or API exists for personal Microsoft accounts
There is no supported automation path to:
- remove MFA methods
- add MFA methods
- reset passkeys
- manage Authenticator registrations
This leaves users entirely dependent on a UI that is demonstrably unreliable.
9. The UI contradicts itself across pages
Different pages showed different states:
- Push removed in one place
- Still present in another
- TOTP usage not logged
- Passkey status unclear
This inconsistency makes it impossible to trust the security posture of the account.
The only way out was to re‑enable a password
In the end, the only way to break the dead‑lock was to turn off passwordless mode, add a password back to the account, and then remove the push method.
This completely defeats the purpose of passwordless security.
Why this is dangerous
This isn’t just a bad user experience.
This is a security failure.
A user under MFA‑fatigue attack should be able to remove the abused factor immediately.
Instead, I was trapped in a broken state where:
- I could not remove the compromised method
- I could not add a new method
- I could not register a passkey
- I could not register a hardware key
- I could not escape the loop without weakening my account
This is not acceptable for a consumer identity system used by hundreds of millions of people.
And finally: even posting this feedback was unpleasant
- Feedback Hub crashed
- TechCommunity hid the posting UI behind multiple layers
- Some pages returned “Internal Server Error”
- The public support page isn’t actually public
- The “obvious” places to post simply don’t allow posting anymore
It should not be this hard to report a serious identity failure.
What I’m asking for
- Fix the passwordless dead‑lock so users are never trapped with a single failing method.
- Fix the passkey creation flow so it provides meaningful diagnostics.
- Fix the YubiKey registration flow so it provides actionable errors.
- Fix the TOTP “last used” metadata so it reflects reality.
- Restore a working fallback registration path for FIDO2 keys.
- Ensure “Remove” removes the method it claims to remove.
- Provide a supported API or PowerShell module for personal Microsoft accounts.
- Audit the entire passwordless UX for failure‑mode safety.
I asked copilot to help me solve the original it patiently did its best. Maybe you should get some robot help too. This feels like millenial MSFT not the work of a $2trillion dollar "AI first" company that thinks it's on the verge of the singularity.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 2%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECA%3C/text%3E%3C/svg%3E)
