Why is MS Authenticator App restore from backup forcing a password onto a passwordless account?
Scenario: Lost access to MS authenticator (MS backup email account active) and had to install MS Auth app on a new Android device Process (Hope there is an easier way)
1. Download MS Auth app and select restore from backup
2. Enter the MS Auth backup email account: prompted to validate on MS Auth app (lost)
3. No MS Auth access, so the process falls back to the recovery emails on the account
4. Required validation codes for both recovery emails addresses
5. Then prompted to add a password to the MS Auth backup email account (what?)
6. MS Auth App & codes restored successfully on new device
Hoping I’m totally confused and there is a more straightforward way to do this, if you have lost access to the MS Auth app.
Why is this seemingly confusing & convoluted to me?
1. Lost MS Auth app access should not immediately point to the MS Auth app.
2. Why not confirm restore through the MS email account used for backup vice the app?
3. Maybe #2. above, is a security consideration… thinking someone has the Authenticator app for the MS backup account?
4. If #3 above, Is true:
a. Why not force the use of secondary passwordless methods like HW security key?
b. Because, if they have the authenticator…they already hacked the MS account!
5. Why default MS Auth app backup restore to recovery emails addresses on the account, when FIDO2 HW keys are available?
6. Why force adding a password to the passwordless account? Access lost to “MS Auth App” not the “email address” used for the MS Auth backup!
Please tell me I’m missing something and there is: 1) a more logical way to recover, if MS Auth app access is lost or 2) there is sound logical reason for forcing a password onto a passwordless account for MS Auth App backup recovery.