Transcript
A wafrn woot (post) by @tinker@infosec.exchange saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
Pretty sure you have another device registered with Authenticator here, and it is asking you to verify against that.
It would be bad if somebody could just steal your username/password and then register their own MFA, right?
So i recently had this happen. I set up Microsoft authenticator on my phone, found out our IT team wants us to use Google authenticator for some reason, hit the disconnect from device button… And got an infinite loop of being redirected to the Microsoft app, and clicking the “cant access” button brought me back to… The Microsoft authenticator app.
Had to ask IT to delete my 2fa on their end and try again.
thanks for claryfing that, it makes the post really dumb
This is a legit problem with authenticator. My work phone was wiped and I had to have my authenticator reset because it got stuck in the same loop.
Well, if the MFA device is not available, reset is the only way. If user would be able to bypass the lost device, the whole thing would be vulnerable.
Whole MFA is of course really f stupid, but it is best we got against phishing.
This happens when your Microsoft account password is externally managed by your employer. If the password is changed externally, then authenticator needs to re-authenticate… with itself.
Keeper does the same. Because that’s sane security.
Lemmy: $MS dumb and bad! (Please clap.)