![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 24%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 65%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 6%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 69%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
It's not a bug, it's an unintended logical trap, since there are Passwordless account users using the authenticator app who must be able to recover their accounts without the password requirement, along with possibly other similar issues that may affect particular account utilities.
However, there's a security by obscurity workaround for this issue that though not foolproof, typically works to resolve it permanently assuming your devices are secure with no infostealer malware and you're careful about not exposing the item that must be changed.
The basic steps are to create a new account email alias (or use an alternate existing one if you have it), then make that 'new' alias the Primary, select Change sign-in preferences to switch to that screen and uncheck the original email alias so it can no longer be used for login by either you or the attackers.
Manage how you sign in to your account
Do NOT delete the original alias, since you'll want to keep that to continue to receive and send email to others, while you should never use the 'new' alias for that purpose to keep it hidden and not potentially expose it to future attacks.
The above is security by obscurity because it doesn't guarantee the new alias won't be exposed via something like an infostealer malware, but it at least typically stays private as long as you never intentionally provide it to others.
You must, of course, also remember the new alias since the old one will no longer work, though in many cases you could likely use the typically existing phone number alias as well, though if the attacks continue even after the above changes have been made, it's probably worth temporarily unchecking the phone number alias as well to confirm that's not what the attackers were actually abusing.
Rob