- Platform
- About
About Transmit Security
We power you with the most advanced identity solutions
Learn more ->
Contact us
Curious to know more? Let’s meet. We’ll solve your toughest CIAM challenges.
Leadership
Innovate and grow with a team ofproven entrepreneurs — laser-focused on CIAM.
Media
We’re making headlines. Read the latest about transmit security in the news.
Careers
We’re on a mission to simplify identity. Jump in, join us and be part of creating the identity experience space.
See AlsoWhat is an Authenticator App? How it Works, Advantages & More6 Best Authenticator Apps for 2024How to Remove Account from Microsoft AuthenticatorWhat is 2FA? A simplified guide for safer logins - NortonCorporate Social Responsibility
We commit to building a better future where all identities are protected and empowered in the digital and physical worlds in which they exist.
Become a Partner
Get ahead of the competition by offering the gold standard of passwordless customer authentication.
- Resources
Featured Blog Post:
How Fraudsters Are Targeting Digital Businesses Across All Industries — And What You Can Do About It
Historically, banks and financial institutions were the primary targets for fraudsters. However, as digital channels become more prevalent, diverse customer-facing applications such as airlines, travel platforms, telcos and digital...
Learn more
Media
Transmit Security is making headlines. Read the latest in the news.
Identity Hub
Start here to get the CIAM basics. This glossary-style blog slices through the noise to give you clarity.
Blog
Get best practices, industry insights, thought leadership and the latest on CIAM innovations.
System Status
Check our system status.
Events & Webinars
Join us in person at conferences or stream webinars on hot CIAM topics.
Support
Existing customer? Find the help you need or contact our experts.
Content Hub
Take a deeper dive into the world of CIAM. Explore analyst reports, white papers, survey data and customer stories.
- |
- Developers
- Platform
- About
- About
- Contact Us
- Media
- Leadership
- Careers
- Become a Partner
- Corporate Social Responsibility
- Resources
- Media
- Content Hub
- Blog
- Identity Hub
- System Status
- Support
- Developers
Request a Demo
By clicking the button, you agree to the Terms and Conditions
Click Here to Read Transmit Security Privacy Policy
Request a Demo
Back to blogs
Get the Transmit Security Blog Straight To Your Email
By clicking the button, you agree to the Terms and Conditions
Click Here to Read Transmit Security Privacy Policy
Subscribe
Table of Contents
by Alex Brown
Microsoft Authenticator: A False Sense of Security?
As a naturally curious security professional, I am constantly trying out new security services. I decided to enable the Microsoft Authenticator on my personal Microsoft account. Microsoft describes their Authenticator as “More secure. Passwords can be forgotten, stolen, or compromised. With Authenticator, your phone provides an extra layer of security on top of your PIN or fingerprint.”
Almost all digital transformation projects include applications that authenticate users and protect sensitive data, as well as integrating services across multiple channels. Passwords are not secure, as recent data leaks and hacks have shown. Authenticator Apps arose as a result of the need for more secure methods using multi-factor authentication. Google authenticator and Microsoft authenticator are among the top authenticator apps used.
I downloaded the Microsoft Authenticator app and added my personal Microsoft account to it. The app asked for my Microsoft password and email verification code. Note that both of these are vulnerable to a simple phishing attack. I completed the registration process and logged into my account several times using the Authenticator app to verify that it worked. It did. I could log into my account without a password.
Can two users log into Microsoft Authenticator at the same time?
My assumption, after enabling the app, was that no one else could log into my account without me approving it first through the Authenticator app. It goes without saying that no one should be able to register another Authenticator app on my behalf without me approving it first with the Authenticator app that I already have.
So I asked a friend to try to add my personal Microsoft account to his Microsoft Authenticator app. After he entered my email address I got a push notification on my mobile device. I opened the push notification on my device and selected “Deny” to deny him from continuing. But my friend was faster and selected “use password instead” on his phone moments before I selected “Deny”. My friend was then able to enter my password and email verification code and successfully register his Microsoft Authenticator using my account. Microsoft completely ignored me pushing the Deny button and didn’t provide any feedback that a new Authenticator app was registered on my behalf. Microsoft Authenticator would not prevent a criminal from accessing an account once they have obtained a username and password.
After this experiment we were both able to log into my account, each with our own phones. But what happens if one of us chooses Allow and the other chooses Deny? Apparently first to click wins. If the attacker tries to log in and clicks Approve first, the victim can click Deny but it won’t matter – the attacker will get in and once again – no indication is sent to the victim that someone got in.
DoesMicrosoft Authenticator have an extra security layer?
Where was the extra layer of security that Microsoft Authenticator claimed? While the Microsoft Authenticator app was easy enough to use (as any Authenticator App), is it simply providing a false sense of security?
Using biometrics and push notifications for security purposes should incorporate many additional layers of security resulting in a dynamic, risk-based approach to authentication and authorization. The best systems carefully assess and correlate a host of indicators and variables from the device and the session in real time to validate the user and revalidate if necessary. In the examples above there were plenty of red flags that should have generated alerts and blocked the imposter before access was provided to the device. If you’re serious about device and system security, continuous adaptive risk should be a foundation to your organization’s IT security infrastructure.
An update on ‘Is Microsoft Authenticator Safe?’
Update: I received a few comments on whether 2FA was enabled or not in my tests above. This is not the point I was trying to make here. Even when 2FA is enabled, attackers can still choose to use Email or SMS as a second factor instead of the Microsoft Authentication App. Both Email and SMS are much weaker in terms of security. I’ll follow up next week with a post explaining how SMS and Email 2FA can be bypassed. My expectation is that once I enable an Authenticator App, attackers should not have an easy way of using SMS or Email instead to login or register another Authenticator App.
Alex Brown A self-professed technology geek, content writer Alex Brown is the kind of person who actually reads the manual that comes with his smartphone from cover to cover. His experience evangelizing for the latest and greatest tech solutions gives him an energized perspective on the latest trends in the authentication industry. Alex most recently led the content team at Boston-based tech company Form.com. View all posts
Get the Transmit Security Blog Straight To Your Email
By clicking the button, you agree to the Terms and Conditions
Click Here to Read Transmit Security Privacy Policy
Subscribe
Latest blog posts
How Fraudsters Are Targeting Digital Businesses Across All Industries — And What You Can Do About It
Read now
Demystifying Crypto-Binding: Enhancing Security with Transmit Security’s Web Crypto for Device ID
Read now
Read now
Read now