Transcript
A wafrn woot (post) by @tinker@infosec.exchange saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
MS Authenticator also uses the phone’s built-in security and can also be used for plain TOTP without sign-in if you want. If you aren’t signed in on a separate instance it won’t offer Authenticator as an option. I think a reasonable person would have realised that based on my answer or, if you were really interested in finding out, from the documentation but I guess you bought those saucepans so you might as well use them. I suppose you’re right in a sense; if Microsoft really wanted to make the UX idiot-proof they’d have a link that says something like “I can’t use my Microsoft Authenticator app right now.”
Out of interest, what happens if you lock yourself out of the completely free, open source and self-hosted app that has your TOTP codes? What recource would you have that isn’t also true for MS Authenticator, or Google Authenticator, or any of the other ones?
For work apps, you can “contact an admin” if you can’t access TOTP. Some other services also have account recovery options if you lose that access.
In other cases, I think you are screwed because you opted into requiring a second factor then lost it.