Hi @Alex Simons (AZURE) & @Olena Huang & Rajat Luthra
* Following the comment above from @Jonas Back my concern is MS Authenticator tokens can be recovered with only the user id and password from a personal Microsoft account
* This seems to be backed up:
1) on another thread by a post by @Sergg
2) In this blog article:
https://www.transmitsecurity.com/blog/microsoft-authenticator-a-false-sense-of-security
* Is it indeed correct that all the MS Authenticator 2FA tokens on a device can be stolen, with nothing more than the user id and password from a phished personal Microsoft account?
* If this is indeed the case, this seems to be a way for hackers to bypass 2FA on a 2FA protected personal Microsoft account
* i.e. Something such as key logging malware steals the personal Microsoft account user id and password
* The stolen user id and password can then be used to steal the MS Authenticator 2FA tokens backed up to that personal Microsoft account
* The stolen 2FA tokens will include the token for the personal Microsoft account with the phished user id and password
* The hacker then has all that is needed to access the 2FA protected account; namely the account user id, password and 2FA token
* A way to avoid this is not to cloud backup MS Authenticator 2FA tokens
* However, not backing up the 2FA tokens means account 2FA protected with MS Authenticator will be locked out if the smartphone owner becomes unable to access the smartphone (e.g. lost, stolen or damaged smartphone)
1) Could someone at Microsoft please post a reply regarding this vulnerability?
2) If anyone else has an observation on this vulnerability, please chip in.
Thanks for any constructive input.
Regards,
Steve