Flaw has Microsoft Authenticator overwriting MFA accounts, locking users out

Original Article ↗ Hacker News Discussion ↗

Microsoft Authenticator design flaw & behavior

  • Core issue: the app can overwrite existing MFA entries when a new QR code shares the same “username” label (often an email), instead of keying off issuer + secret.
  • This risks locking users out, especially when many services use the same email login.
  • Some participants reproduce the overwriting (often on iOS/QR-scan); others report no problems, suggesting platform/version-specific behavior or subtle conditions.
  • Microsoft’s response (per the article) is perceived as deflecting blame onto services that correctly use the “issuer” field instead of putting it into the label.

Usability vs security in MFA

  • SMS 2FA is seen as insecure but popular: easy to understand, easy to recover, “good enough” for most non-targeted users.
  • Hardware keys (YubiKey/FIDO) are praised in managed environments (IT can reissue, PKI, revocation) but seen as too complex and brittle for general consumers.
  • TOTP apps without solid backup/restore (notably older Google/Microsoft versions) have caused full account lockouts after phone loss, theft, or app updates.

Password and authentication UX problems

  • Long list of pain points: arbitrary length limits, silent truncation, disallowed characters, inconsistent rules between web/mobile, undocumented constraints, and misleading error messages.
  • Many banks and government sites are singled out for bizarre schemes (partial-character prompts, six-digit PINs, visual keypads) that likely imply plaintext or reversible storage.
  • Mandatory password rotation and complex composition rules are criticized as outdated and counterproductive; NIST/OWASP guidance against them is cited.

Vendor lock-in, dark patterns, and platform criticism

  • Microsoft is accused of forcing its Authenticator in enterprise (defaults, wording, non-standard QR, hidden “use another app” links), making alternatives harder.
  • Broader frustration with Microsoft’s ecosystem (Azure, Teams, Outlook) and perception of declining quality.
  • Similar criticism of Google/Apple ecosystems: opaque support, account lockouts, and limited recourse when “computer says no.”

Workarounds, backups, and alternatives

  • Common strategies:
    • Save TOTP secrets/QRs into password managers or as offline backups.
    • Use open-source authenticators (Aegis, andOTP, 2FAS) with encrypted export/import.
    • Use separate email aliases per service to reduce confusion and social engineering.
  • Some advocate security keys / WebAuthn or passkeys as a better long-term direction, but support gaps (e.g., on mobile, app support) remain.

Account recovery and lockout anxiety

  • Multiple stories of irrecoverable Gmail, Yahoo, Twitter, bank, and game accounts due to broken recovery flows, secret questions, or MFA issues.
  • Strong sense that modern auth systems make it easy to lose access, with little human support or appeals process.