Transcript
A wafrn woot (post) by @[email protected] saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
Nothing in the UX here conveys that you should open a second Authenticator on a second device. And what if you aren’t logged into the second Authenticator? Is a third one needed on a third device? And if you aren’t logged into the third?
The original TOTP phone apps don’t require their own login. The protection is provided by the mobile OS.
Microsoft is making this complex it’s not usable.
MS Authenticator also uses the phone’s built-in security and can also be used for plain TOTP without sign-in if you want. If you aren’t signed in on a separate instance it won’t offer Authenticator as an option. I think a reasonable person would have realised that based on my answer or, if you were really interested in finding out, from the documentation but I guess you bought those saucepans so you might as well use them. I suppose you’re right in a sense; if Microsoft really wanted to make the UX idiot-proof they’d have a link that says something like “I can’t use my Microsoft Authenticator app right now.”
Out of interest, what happens if you lock yourself out of the completely free, open source and self-hosted app that has your TOTP codes? What recource would you have that isn’t also true for MS Authenticator, or Google Authenticator, or any of the other ones?