Editor’s Note: For up-to-date resources, please visit the following:
https://support.microsoft.com/en-us/account-billing/back-up-account-credentials-in-microsoft-authenticator-bb939936-7a8d-4e88...
Updated Mar 26, 2025
Version 9.0
Blog Post
Hi Sergg
1) Your earlier comment:
"Does the backup and restore defy the point of MFA authentication? This process does potentially allows cloning Authenticator app into a secondary phone (with or without primary phone owner knowledge) and therefore defies the non-repudiation principals. What is the protection for the backup file of the authenticator? Microsoft Authenticator recommends using "Microsoft Live" account that is a personal account plus TEXT/Call/Email code for authentication. But all those methods will not stop from backing-up unlocked phone...
Is there in-app / server feature to detect two authenticator apps running simultaneously on the different phones?
P.S. There was always an option to clone an authenticator if initial QR code intercepted. But this was only limited to onboarding phase. Backup and restore opens an opportunity to get all the accounts cloned."
2) Others sharing your view:
* What seems to be the very vulnerability that you describe dawned on me as a possibility this morning
* I searched the internet to see if anyone else has this concern; that search led me to your comment
* Given the magnitude of the vulnerability, I am surprised no one else on this thread seems to have replied to your comment
* On this thread...
JonasBackseems to have identified the same point as you
* Away from this community, at least one other person seems to have the same concern as you highlight
https://www.transmitsecurity.com/blog/microsoft-authenticator-a-false-sense-of-security
3) Is the Authenticator backups vulnerability potentially even greater? (Please, anyone feel free to correct me if I am wrong)
* I suggest that since it seems a phished personal Microsoft is all that is required to for a hacker to steal all the MS Authenticator tokens that are cloud backed up to the personal Microsoft account
* What if one of the totp tokens backed up to the phished Microsoft account, is the the totp token for a password manager (e.g. Bitwarden, LastPass, NordPass)?
* If the MS personal account was phished by key logging malware on a device, then it's very possible that the login credentials for the password manager have also been stolen with the key logging malware (if the MS account and the password manager were logged into using the same infected device)?
* The stolen password manager credentials combined with the Authenticaor totp tokens stolen via the Authenticator backup process weakness, means criminals could then run riot with all the details stored in the password manager (including the accounts in the password manager that are 2FA protected with MS Authenticator)
* This is all the more ironic since my password manager vendor replied to an email I sent them trying to understand the risks of using a password manager
* The password manager vendor advises that, I should never install a password manager and any 2FA apps that protect the password manager on the same device
* That advice from the password manager seems to make sense, since keeping the password manager and 2FA app on separate devices acts as a firewall in case of data exfiltration malware inadvertently being installed on a device
4) Authy
* I use an online account that insist that the only 2FA app that they allow for their online account is Authy
* This seemed odd to me since Authy and numerous other 2FA apps used the same underlying totp technology
* I took this up with the tech support people of the online account approx a week ago (since I am seeking to steamline the totp apps that I use)
* They haven't yet given me a reply as yet on why Authy is the only totp app that they allow
* However, in light of the comments by Sergg & JonasBack , maybe I know (or do not know) why the insist on only Authy?
* In setting up Authy on an Android smartphone (I've never used iphone so can't comment re iphone), the 1st thing Authy insists that you action when setting up Authy on a smartphone, is enter a "Backups Password"
* Unless the user adds a 'Backups Password', the user isn't given the option to add any accounts to Authy on the device
* Hence, a Backups Password must be added for Authy to be used on the device
5) Has Authy the same vulnerability to hacking via cloud backups as MS Authenticator?
* The Authy Backups password could potentially be stolen via key logging malware on a smartphone
* However, there doesn't appear to be anywhere to login with that password (such as logging to the Authy website)
* Hence, even if keylogging malware steals my Authy Backups Password and so steals my Authy totp tokens from my smartphone, this on it's own doesn't threaten my password manager (since the password manager doesn't get accessed from the smartphone on which Authy is installed)
Please disect; constructive critique is welcomed.