在「Flaw has Microsoft Authenticator overwriting MFA accounts, locking users out (csoonline.com)」這邊看到的,原文在「Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out」,在講 Microsoft Authenticator (Android 版、iOS 版) 這個支援 TOTP 的 MFA 程式的長年 bug... (對一般人比較好理解的,這是六位數字的動態密碼 app)
會造成無法登入的 bug 是因為透過 QR code scan 加入新的帳號時,會蓋掉既有的帳號資料,所以產生的 QR code 就無法在舊的帳號/網站上面使用了:
That’s because, due to an issue involving which fields it uses, Microsoft Authenticator often overwrites accounts when a user adds a new account via QR scan — the most common method of doing so.
原因是因為 username 相同就會蓋掉,而大多數人在不同的地方都會用同樣的 username (像是我的 gslin):
The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users’ apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer — such as a bank or a car company — to avoid this issue. Microsoft only uses the username.
然後 workaround 是不要用 Microsoft Authenticator,或是不要用 QR code scan:
There are multiple workarounds. The easiest is for companies to use any other authentication app. Not using the QR code scan feature — and manually entering the code — will also sidestep the issue, which doesn’t appear to arise when the authenticated accounts belong to Microsoft.
然後這個問題可以找到 2020 年開始有人抱怨,但作者測試看起來 2016 年的版本就已經是這樣了:
CSO Online found complaints of this problem dating back to 2020, but it appears to have been in place since Microsoft Authenticator was released in June 2016. (For historical context, Google was the first Authenticator app, having been launched in 2010.)
然後 Microsoft 確認有這樣的行為,但不認為是 bug 而是 feature (怎麼梗圖突然從腦袋裡冒出來...):
Microsoft confirmed the issue but said it was a feature not a bug, and that it was the fault of users or companies that use the app for authentication.
然後專欄作者找了其他專家測試其他的 app,可以發現只有 Microsoft Authenticator 的處理是 override 然後炸掉:
By the way, I’ve tested this behavior in 14 other authenticator apps so far. None of them exhibit the same collision behavior that Microsoft Authenticator does,” he added. “I gave up at 14 because at that point, it’s obvious Microsoft are the ones who are doing things poorly here.
大概是大家都懶得吵了,反正可以用 Google Authenticator 或是其他 TOTP app...