Sign in Subscribe

Microsoft Authenticator - A Cautionary Tale of Woe

Last updated on 
Microsoft Authenticator - A Cautionary Tale of Woe
Photo by Ed Hardie / Unsplash

I'll start with the caveat that multifactor authentication is amazing, and its widespread adoption in the enterprise and for personal use has stopped significant amounts of crime in its tracks. I am absolutely not throwing any shade on the use of MFA to help secure applications from nefarious actors. However yesterday was a major headache for me mainly as I trusted too much in the tools I used, and didn't pay heed to what can go wrong.

It started with a broken update on IOS 26 that caused my phone to kernel panic and crash at random intervals - during phone calls/Teams meetings, browsing the web, when it was happily charging in flight mode overnight. After a few days of troubleshooting & eliminating possible causes (reinstallation of Windows Defender and other apps that were heavily background intensive) I decided to take the nuclear option and factory reset/restore from backup. I checked the backup was current, took a new backup to be sure, and ensured all apps were configured to back up to iCloud.

After a couple of hours of restoring everything, I then opened Microsoft Authenticator to sign into an organisation that I have an account for and to my abject horror saw that all my accounts were listed - with a prompt to sign into my account:

Obviously selecting this allowed me to enter credentials - and then sent a prompt to my now non-existant MS Authenticator app - rendering me locked out of the accounts that I use MS Authenticator for.

It's worth noting at this point that other Authenticator apps I use (DUO and Google Authenticator as well) managed to back up fine and in their entirety without problems - so this is totally a Microsoft Authenticator issue feature.

Lessons Learned

Thankfully I've been through the mill enough times in my career to not be solely reliant on a single solution - the types of accounts I had in MS Authenticator broadly fell into the following categories:

  • Client accounts with user access only - MFA methods could be reset by the administrators of those accounts
  • Grok Consulting's own (admin and user) accounts - MS Authenticator is a backup authentication method for these, as my primary authentication uses either Passkeys or FIDO2 MFA methods (a Yubikey, with a backup Yubikey stored offsite in a locked location)
  • Client Admin Accounts - For tenants I have management access to, I ensure there is more than one admin account for day-to-day administration, so there's always another admin I can call upon, but also configure the tenant (where possible) in line with the Microsoft 365 CIS Foundation Benchmarks, which recommend setting up Emergency Access Accounts that fall outside Conditional Access Policies:

In this case for me, it was a time consuming and awkward situation to resolve, but also a useful test of my own processes and business continuity/resilience planning.

For critical accounts, such as administrative functions, always ensure you can retain access should your primary MFA method or account become unavailable.