Share via

Microsoft Authenticator bug with duplicate label resulting in overwriting of other TOTP keys

EpicPilgrim7 10 Reputation points
2024-07-22T09:22:07.11+00:00

The Microsoft Authenticator app on Android and iOS differs in a flawed manner from every other authenticator app on the market. It overwrites other TOTP keys stored within it, when the label of a new TOTP key is the same as another already stored. The label is frequently the user ID that is being used to login to the 3rd-party application, which in most cases is an email address, which obviously will be used across multiple sites and keys.

When scanning a QR code with "other" in authenticator apps, the actual content of the QR code is an "otpauth" link. The format of this link is:

otpauth://TYPE/LABEL?PARAMETERS

More info on the otpauth link is available here. The "PARAMETERS" field normally looks something like this:

secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30

Most authenticator apps take a combination of the LABEL portion of the URI, and the "issuer", and use this to form the ID for the TOTP key within the app, as described as best practice in the link above.

Microsoft blatantly ignore the standard and use solely the LABEL field, resulting in collisions and overwriting of legitimate and unrelated TOTP keys.

Evidence of this being reported in the past include:

The problem is that a user who mistakenly allows the overwriting to occur loses access to whatever other system they just overwrote the TOTP key for in Microsoft Authenticator.

The workaround from the above links is to manually enter the key into the Authenticator app when adding it. This is not a viable workaround en-masse, and is not required in other authenticator apps.

How do we get Microsoft to acknowledge and fix this design flaw/bug?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,939 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. EpicPilgrim7 10 Reputation points
    2024-07-25T22:25:08.3166667+00:00

    Well, Microsoft have replied to a ticket I logged and said it's by design, and their Authenticator app is only designed to be used with Microsoft accounts. They support adding other accounts by scanning QR codes, but don't care that they don't abide by any standards and that it fails adding accounts with the same email address, even though every other authenticator app under the sun works fine.

    I mean:

    • Google designed their Authenticator app primarily to authenticate Google accounts, but they managed to figure this out just fine.
    • Okta designed their Authenticator app primarily to authenticate Okta accounts, but theirs works fine, too.
    • Microsoft designed their Authenticator app primarily to authenticate Microsoft accounts, but couldn't figure out how to concatenate two strings together (label and issuer) for the primary key

    Disappointing, Microsoft.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.