Having ignored user complaints about a security design flaw within Microsoft Authenticator for eight years, Microsoft confirmed in an email to CSO on Tuesday that it has finally corrected the issue. CSO Online reported details about the flaw last month.
At issue was an oversight seemingly unique to Microsoft’s approach to introducing new accounts to its authenticator application. By limiting the number of fields Authenticator considered when adding accounts via QR codes, some users that identified themselves by an email address could be locked out of an account because Authenticator would overwrite another account with the same username.
Other authentication apps, including Google Authenticator, Okta Verify, LastPass Authenticator, Salesforce Authenticator, and just about every other authentic app, have been designed to add the name of the issuer into the fields to avoid this issue.
Microsoft quietly pushed out its fix last week, either Sept. 10 or Sept. 11, depending on geography. The patch was included in 6.8.15 for iOS and 6.2409.6094 for Android. Some iOS users noted that the patch didn’t automatically post and that they needed to go to their phone’s App Store and manually trigger the update.
In its fix confirmation email to CSO on Tuesday, Microsoft said, “The improvements help better distinguish third-party Time-based One-time Password (TOTP) accounts within the user interface when a new account is added. Users who have an existing account with the same name as the new account will see a prompt that allows them to rename the new account to prevent account collisions.”
Microsoft did not address why it took so many years to make the fix, nor why it designed the app that way initially.
Better late than never
Australian security consultant Brett Randall posted about the security hole over the course of several months and said he saw more than 100,000 views on those LinkedIn posts.
“This now brings Microsoft Authenticator back on par with other phone-based TOTP authenticators. It no longer allows the accidental overwriting of TOTP keys when certain conditions, including reused email addresses, are present, which was effectively locking users out of unrelated systems with little warning,” Randall wrote on LinkedIn. “Thank you, Microsoft, for fixing the issue, even if it was far harder than it needed to be to get an acknowledgement that the issue existed.”
Tim Erlin, API security leader at Wallarm, was one of many users last month who confirmed the Microsoft Authenticator issue. “Although it seems like it wasn’t easy to get addressed, it’s great to see that Microsoft has fixed this issue with their Authenticator app. There’s no doubt that it will prevent future headaches for their users,” Erlin said.
Another cybersecurity observer, Brian Levine, who oversees Ernst & Young’s cybersecurity business, pointed to the Microsoft patch as an indicator that, sometimes, major brands listen. They may be slow to react, but they still sometimes make the change.
“This demonstrates that software developers are becoming increasingly responsive to security concerns and opportunities, including those raised by technologists and the tech media,” Levine said.
Will Townsend, a principal analyst at Moor Insights & Strategy, said that he “personally experienced that issue. It’s a design flaw, pure and simple.”
“My guess is that the use of QR codes have gained popularity over the last few years for MFA and this finally forced Microsoft to patch it since they were the only outlier,” Townsend said. “The company’s still relatively new Secure Future Initiative may have been pivotal in convincing the product development team to address the issue.”
The nature of the design flaw was such that it didn’t impact every user. Not only was it impacted by the user’s selected username, but the company being authenticated also appeared to play a role. Some banks and retailers, for example, required different information and handled that information differently. That is why the problem was not universal — and thus more vexing to those it impacted.
Making the problem worse was that the glitch was rarely seen as a Microsoft Authenticator issue, but IT assumed it was an issue with that company’s authentication. A lot of wasted IT hours resulted.
“Making this situation worse is that when a Microsoft overwrite happens, it’s not easy to determine which account is being overwritten. This can cause authentication issues with both the newly created account and the account that is overwritten,” CSO wrote last month. “Moreover, users can potentially not realize a previously created account was annihilated until they attempt to use it again, whether that’s weeks or months later.”
No Responses