How it works: Backup and restore for Microsoft Authenticator

Published Nov 13 2019 01:00 PM 86.3K Views
Microsoft

Hello! With the dust settling from Ignite 2019, let’s dive in with “how stuff works” – focusing on the Microsoft Authenticator’s backup and restore feature.

 

Earlier this year we released the Microsoft Authenticator backup and restore feature on iOS and Android, which lets you easily move your accounts on the Authenticator app to a new device. Some folks have asked how we secure this process – in this blog, we’ll deep dive into how it works.

In the descriptions below, a “strong authentication token” means the user has authenticated using multi factor authentication - for example, they used a password and then entered a code sent to their phone or email or signed in with Windows Hello or a FIDO token, depending on the factors they have previously enabled.

 

Overview of how the Microsoft Authenticator works

The Microsoft Authenticator supports a variety of authentication mechanisms to support Microsoft consumer, work and school accounts in different modes, as well as any account which supports the OATH TOTP standard.

 

For accounts using the OATH TOTP standard, there is a shared secret stored both in the Authenticator app and in the identity provider.

 

For accounts using other mechanisms, the Authenticator creates a public/private keypair in a hardware backed storage (e.g. the Keychain on iOS and Keystore on Android) and exports the public key to Microsoft’s login server. The private key never leaves the device when a user is using the backup or restore features of their Authenticator app or when using the operating system app restore features.

 

Backup

To restore Microsoft Authenticator accounts on a new device, the user must first back up their current device. Here are the steps.

  1. The user starts the backup process by clicking on the menu, going to settings, and enabling backup.
  2. The Authenticator app uses a strong authentication token to request a 256-bit key from an internal Microsoft account key service. The app receives this key and a retrieval id (Key ID) from the key service.
  3. The Authenticator uses the key to create an encrypted JSON Web Encryption blob (JWE) using AES-256 The information contained varies based on what accounts the Authenticator’s owner has configured.
    1. For all accounts, the Authenticator encrypts relevant metadata about the account such as:
      1. Backup creation time
      2. Account system
      3. Username
      4. Credential types (e.g. Phone Sign-In, TOTP)
    2. For OATH TOTP accounts (including personal Microsoft account and third party), the JWE also includes the shared secret used in TOTP.
    3. The data above is also hashed with SHA-512 to protect against theft and tampering and this hash is added to the JWE.
  1. The JWE and the Key ID are then uploaded to the appropriate cloud storage:
    1. For Android devices, they are stored in Microsoft’s cloud storage provider and tied to the user’s personal Microsoft account.
    2. For iOS devices, they are stored in iCloud and tied to the user’s Apple account.

Restore

After the backup has been successfully created, the user can restore their Microsoft Authenticator accounts on a new device. Here are the steps:

  1. The user starts the recovery process by clicking on “Begin Recovery” on the home screen of the app.
  2. The user is required to sign into the account they used to create the backup in step 2 after which the app retrieves the JWE and key ID stored in step 4 from the appropriate cloud storage – Microsoft’s cloud storage provider (Android devices) or iCloud (iOS devices).
  3. The Authenticator app uses a strong authentication token and the Key ID to retrieve the key from the Microsoft account key service.
  4. Using the key, the Authenticator decrypts the JWE and verifies its integrity using the hash from step 3c.
  5. The contents of the accounts stored in the JWE are used to populate the application, and the user can see their accounts in the app.
    1. OATH TOTP accounts (from 3b) are fully setup as the shared secret has been restored.
    2. For all other accounts displayed, the user must authenticate to create a new public/private keypair on the device and re-register each account’s public key for the new Authenticator instance.

Backup and Recovery Diagram

What’s life without a little UML? Here’s a picture encapsulating the flow described above.

 

Auth Backup and Restore.PNG

 

Summary

Hopefully this helps you understand the mechanics behind our secure backup and restore process for Microsoft Authenticator. If you have any more questions, check out our Microsoft Authenticator docs or ping me at @alex_t_weinert.

 

Stay safe out there!
- Alex

 

41 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1013428%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013428%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20about%20between%20iOS%20and%20Android%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014004%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014004%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%3CDIV%20class%3D%22lia-message-body%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3B%2C%20how%20are%20you%20%3F%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22tlid-translation%20translation%22%3E%3CSPAN%20class%3D%22%22%3EI%20did%20the%20test%20below%20and%20it%20didn't%20work%3C%2FSPAN%3E%3C%2FSPAN%3E%20for%20this%20use%20case%20(iPhone%20full%20restore%20from%20iCloud).%20The%20restore%20is%20only%20working%20if%20I%20delete%20the%20app%20and%20reinstall%20in%20the%20same%20device%20or%20moving%20between%20devices%2C%20but%20not%20when%20I%20perform%20a%20full%20iPhone%20restore%20in%20the%20same%20iPhone.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EiOS%2013.2.2%20%2F%20iPhone%2011%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esteps%3A%3C%2FP%3E%3CP%3E1)%20installed%20Microsoft%20Authenticator%20app%3C%2FP%3E%3CP%3E2)%20setup%20personal%20account%20(%40hotmail.com)%3C%2FP%3E%3CP%3E3)%20added%202%20records%20(facebook%20and%20google)%3C%2FP%3E%3CP%3E4)%20performed%20backup%20to%20iCloud%20using%20backup%20feature%20of%20Microsoft%20authenticator%20app%3C%2FP%3E%3CP%3E5)%20performed%20iPhone%20backup%20using%20iOS%20iCloud%20feature%3C%2FP%3E%3CP%3E6)%20reinstall%20iPhone%20using%20iCloud%20backup%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20the%20restore%2C%20I%20tried%20to%20follow%20the%20%22Begin%20Recovery%22%20procedures%20of%20Microsoft%20authenticator%20app%2C%20but%20I%20received%20the%20message%20that%20I%20don't%20have%20a%20backup%20available%20in%20my%20iCloud.%20But%20I%20have%20the%20backup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWeber%20Ress%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1019835%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1019835%22%20slang%3D%22en-US%22%3E%3CP%3EI%20experienced%20exactly%20the%20same%20as%20Weber.%20But%20I%20found%20an%20iCloud%20'switch'%20in%20the%20settings%20within%20authenticator%2C%20which%20was%20switched%20off.%20So%20an%20iCloud%20backup%20of%20your%20iPhone%20apparently%20doesn't%20backup%20the%20authenticator.%20I%20have%20now%20put%20this%20switch%20to%20'on'.%3C%2FP%3E%3CP%3EI%20now%20have%20three%20account%20in%20the%20authenticator%20that%20will%20not%20give%20me%20any%20one%20time%20passwords.%20I'm%20still%20trying%20to%20get%20them%20to%20work%20without%20completely%20reinstalling%20the%20app.%20Any%20thoughts%20anyone%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJeroen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1022466%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1022466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CSPAN%3EIn%20my%20use%20case%2C%20my%20iCloud%20account%20is%20w1xxxx%40icloud.com%20and%20my%20personal%20MS%20account%20is%20w2xxxx%40hotmail.com.%20Also%2C%20I've%20activated%20the%20iCloud%20backup%20within%20MS%20auth%20app.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5B%5D's%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWeber%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1186255%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1186255%22%20slang%3D%22en-US%22%3EI%20love%20the%20cloud%20backup%20feature%2C%20it%20saved%20between%20factory%20reset!%20Only%20thing%20would%20make%20this%20the%20best%20is%20for%20it%20to%20have%20a%20dark%20mode.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1490884%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1490884%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20successfully%20backed%20up%20and%20restored%20MS%20Auth%20when%20you%20switch%20MDM's%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502635%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502635%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20good%20start%2C%20but%20in%20need%20of%20more%20work%20I%20think.%20Two%20major%20stumbling%20blocks%20for%20our%20adoption%20are%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20You%20can't%20backup%20to%20a%20work%20or%20school%20account.%3C%2FP%3E%3CP%3E2)%20You%20can't%20restore%20across%20platforms.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20could%20probably%20live%20without%20the%20first%20one%20(whilst%20grumbling)%2C%20but%20it's%20dead%20in%20the%20water%20without%20the%20second.%20A%20backup%20you%20can't%20recover%20is%20hopeless.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20someone%20tell%20me%20I'm%20missing%20something%20so%20I%20can%20apologise%20and%20get%20excited%20about%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1529782%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1529782%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20having%20issues%20with%20the%20sound%20and%20haptics%20on%20my%20iPhone%20and%20needed%20to%20do%20a%20reset%20and%20restore%20from%20iCloud.%20MSAuthenticator%20was%20set%20to%20back%20up%20to%20the%20cloud.%20I%20had%20moved%20all%20my%20accounts%20out%20of%20Google%20Authenticator%20because%20of%20the%20horror%20stories%20I%20had%20heard%20from%20people%20losing%20codes%20when%20getting%20a%20new%20phone%20or%20restoring.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20as%20it%20turns%20out%2C%20I%20ended%20up%20losing%20all%20the%20codes%20I%20had%20in%20MS%20Authenticator.%20When%20going%20to%20Recover%20Accounts%2C%20it%20only%20loads%20my%20account%20that%20was%20associated%20with%20the%20backups%20in%20iCloud%20that%20I%20assumed%20would%20be%20used%20to%20restore%20the%20codes.%20Ironically%2C%20all%20the%20codes%20I%20had%20in%20Authy%20and%20Google%20authenticator%20are%20all%20there%20without%20having%20had%20to%20do%20anything.%20Is%20there%20any%20way%20to%20get%20them%20back%3F%20Such%20a%20bummer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20trying%20to%20decide%20between%20MS%20and%20Authy%20for%20a%20while%20now%20and%20it%20seems%20like%20the%20choice%20is%20now%20obvious%20which%20to%20go%20if%20you%20don't%20want%20to%20lose%20all%20your%20codes%20in%20the%20event%20of%20doing%20a%20restore%20on%20your%20phone.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1569328%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1569328%22%20slang%3D%22en-US%22%3E%3CP%3EQuick%20question%20to%20Microsoft%20Team%2C%3C%2FP%3E%3CP%3EDoes%20the%20backup%20and%20restore%20defy%20the%20point%20of%20MFA%20authentication%3F%20This%20process%20does%20potentially%20allows%20cloning%20Authenticator%20app%20into%20a%20secondary%20phone%20(with%20or%20without%20primary%20phone%20owner%20knowledge)%20and%20therefore%20defies%20the%20non-repudiation%20principals.%20What%20is%20the%20protection%20for%20the%20backup%20file%20of%20the%20authenticator%3F%20Microsoft%20Authenticator%20recommends%20using%20%22Microsoft%20Live%22%20account%20that%20is%20a%20personal%20account%20plus%20TEXT%2FCall%2FEmail%20code%20for%20authentication.%20But%20all%20those%20methods%20will%20not%20stop%20from%20backing-up%20unlocked%20phone...%3C%2FP%3E%3CP%3EIs%20there%20in-app%20%2F%20server%20feature%20to%20detect%20two%20authenticator%20apps%20running%20simultaneously%20on%20the%20different%20phones%3F%3C%2FP%3E%3CP%3EP.S.%20There%20was%20always%20an%20option%20to%20clone%20an%20authenticator%20if%20initial%20QR%20code%20intercepted.%20But%20this%20was%20only%20limited%20to%20onboarding%20phase.%20Backup%20and%20restore%20opens%20an%20opportunity%20to%20get%20all%20the%20accounts%20cloned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586649%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586649%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20got%20a%20pretty%20basic%20issue%20with%20the%20Microsoft%20Authenticator%20-%20or%20maybe%20it's%20just%20the%20documentation%2Fhelp.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20ensure%20I%20can%20recover%20from%20loss%2Ftheft%2Fetc%2C%20I've%20turned%20on%20%22Cloud%20backup%22%20in%20the%20Authenticator%20app's%20settings%20on%20my%20android%20phone.%20The%20immediate%20question%20that%20comes%20to%20mind%20is%20whether%20this%20is%20a%20one-off%20backup%2C%20or%20whether%20MS%26nbsp%3BAuthenticator%20is%20going%20to%20keep%20%22syncing%22%20to%20the%20secure%20cloud-backup%20(linked%20to%20my%20MS%20account)%20all%20subsequent%20additions%2Fchanges%2Fetc%20to%20the%20accounts%20I%20store%20in%20Authenticator.%20I%20assume%20it%20is%20an%20ongoing%20process%20because%20I%20%22turn%20on%22%20the%20cloud-backup%20rather%20than%20just%20%22creating%22%20it.%20But%20this%20is%20not%20confirmed%20in%20any%20MS%20documentation%20I%20have%20found%20-%20apart%20from%20one%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fcloud-backup-and-recovery-for-the-microsoft-authenticator-app-on%2Fba-p%2F566369%22%20target%3D%22_self%22%3Earticle%3C%2FA%3E%20in%20the%20Azure%20Active%20Directory%20Blog%2C%20which%20states%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3EOnce%20you%20turn%20cloud%20backup%20on%2C%20your%20data%20is%20encrypted%20and%20stored%20with%20your%20personal%20Microsoft%20account.%20Your%20account%20credentials%20stay%20updated%20when%20you%20add%2C%20delete%2C%20or%20edit%20your%20accounts.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHowever%2C%20if%2C%20in%20the%26nbsp%3BMicrosoft%20Authenticator%20app%20on%20my%20phone%2C%20I%20go%20to%20the%20backup%20settings%20and%20tap%20on%20%22Details%22%2C%20it%20shows%20when%20the%20backup%20was%20%22created%22%20and%20when%20it%20was%20%22last%20updated%22.%20The%20creation%20date-time%20is%20indeed%20when%20I%20tuned%20on%20Cloud-backup%20-%20but%20the%20%22last%20updated%22%20date-time%20is%20only%203%20secs%20later%2C%20even%20though%20I%20have%20since%20added%20several%203rd%20party%20accounts%20to%20the%20Authenticator.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20what%20is%20going%20on%3F%20Is%20the%20Cloud-backup%20not%20working%20properly%3F%20Is%20the%26nbsp%3B%22last%20updated%22%20info%20shown%20in%20the%20app%20just%20plain%20wrong%3F%20Or%20am%20I%20missing%20something%3F%20The%20devil's%20in%20the%20details%20-%20and%20if%20the%20details%20are%20wrong%20you%20can't%20really%20rely%20on%20the%20app.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1745939%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1745939%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20restore%20on%20android%2C%20just%20(re)install%20the%20app%2C%20don't%20add%20an%20account%2C%20just%20use%20skip%20a%20few%20times%20until%20you%20see%20the%20restore%20option.%3C%2FP%3E%3CP%3EWorks%20also%20to%20install%20it%20on%20a%20second%20android%20device%2C%20just%20use%20your%20backup%20account%20from%20the%20first%20device%20in%20the%20restore%20option.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1758887%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1758887%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99d%20like%20to%20restore%20from%20an%20older%20backup%20but%20Authenticator%20won%E2%80%99t%20let%20me.%20Is%20there%20a%20workaround%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1932007%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1932007%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20Authenticator%20is%20really%20the%20best%20authenticator%20app%20out%20there%2C%20I%20love%20this%20backup%2Frestore%20functionality.%20when%20I%20was%20using%20other%20authenticator%20apps%20and%20I%20reset%20my%20phone%2C%20uninstalled%20the%20app%2C%20lost%20the%20phone%20etc%2C%20I%20had%20to%20go%20through%20the%20trouble%20of%20recovering%20each%20of%20my%20accounts%3C%2FP%3E%3CP%3Ebut%20with%20backup%2Frestore%20feature%20none%20of%20them%20is%20necessary%20anymore.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20wish%20Microsoft%20Authenticator%20had%20an%20app%20for%20Windows%2010%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2037774%22%20slang%3D%22de-DE%22%3ESubject%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2037774%22%20slang%3D%22de-DE%22%3E%3CP%3EServus%20Alex%2C%20%3CBR%20%2F%3E%3CBR%20%2F%3E%20the%20question%20is%3A%20%3CBR%20%2F%3E%20%5B...%5D%20they%20are%20stored%20in%20Microsoft's%20cloud%20storage%20provider%20and%20tied%20to%20the%20user's%20personal%20Microsoft%20account.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%20WHERE%3F%20is%20this%3F%20How%20to%20view%20the%20data%20in%20my%20profile%3F%20%3CBR%20%2F%3E%3CBR%20%2F%3E%20THX%20%3CBR%20%2F%3E%20Mark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006678%22%20slang%3D%22en-US%22%3EHow%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006678%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%20With%20the%20dust%20settling%20from%20Ignite%202019%2C%20let%E2%80%99s%20dive%20in%20with%20%E2%80%9Chow%20stuff%20works%E2%80%9D%20%E2%80%93%20focusing%20on%20the%20Microsoft%20Authenticator%E2%80%99s%20backup%20and%20restore%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEarlier%20this%20year%20we%20released%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FCloud-backup-and-recovery-for-the-Microsoft-Authenticator-app-on%2Fba-p%2F566369%22%20target%3D%22_blank%22%3EMicrosoft%20Authenticator%20backup%20and%20restore%3C%2FA%3E%20feature%20on%20iOS%20and%20Android%2C%20which%20lets%20you%20easily%20move%20your%20accounts%20on%20the%20Authenticator%20app%20to%20a%20new%20device.%20Some%20folks%20have%20asked%20how%20we%20secure%20this%20process%20%E2%80%93%20in%20this%20blog%2C%20we%E2%80%99ll%20deep%20dive%20into%20how%20it%20works.%3C%2FP%3E%3CP%3EIn%20the%20descriptions%20below%2C%20a%20%E2%80%9Cstrong%20authentication%20token%E2%80%9D%20means%20the%20user%20has%20authenticated%20using%20multi%20factor%20authentication%20-%20for%20example%2C%20they%20used%20a%20password%20and%20then%20entered%20a%20code%20sent%20to%20their%20phone%20or%20email%20or%20signed%20in%20with%20Windows%20Hello%20or%20a%20FIDO%20token%2C%20depending%20on%20the%20factors%20they%20have%20previously%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EOverview%20of%20how%20the%20Microsoft%20Authenticator%20works%3CP%3EThe%20Microsoft%20Authenticator%20supports%20a%20variety%20of%20authentication%20mechanisms%20to%20support%20Microsoft%20consumer%2C%20work%20and%20school%20accounts%20in%20different%20modes%2C%20as%20well%20as%20any%20account%20which%20supports%20the%20%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6238%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EOATH%20TOTP%3C%2FA%3E%20standard.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20accounts%20using%20the%20OATH%20TOTP%20standard%2C%20there%20is%20a%20shared%20secret%20stored%20both%20in%20the%20Authenticator%20app%20and%20in%20the%20identity%20provider.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20accounts%20using%20other%20mechanisms%2C%20the%20Authenticator%20creates%20a%20public%2Fprivate%20keypair%20in%20a%20hardware%20backed%20storage%20(e.g.%20the%20Keychain%20on%20iOS%20and%20Keystore%20on%20Android)%20and%20exports%20the%20public%20key%20to%20Microsoft%E2%80%99s%20login%20server.%20The%20private%20key%20never%20leaves%20the%20device%20when%20a%20user%20is%20using%20the%20backup%20or%20restore%20features%20of%20their%20Authenticator%20app%20or%20when%20using%20the%20operating%20system%20app%20restore%20features.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EBackup%3CP%3ETo%20restore%20Microsoft%20Authenticator%20accounts%20on%20a%20new%20device%2C%20the%20user%20must%20first%20back%20up%20their%20current%20device.%20Here%20are%20the%20steps.%3C%2FP%3EThe%20user%20starts%20the%20backup%20process%20by%20clicking%20on%20the%20menu%2C%20going%20to%20settings%2C%20and%20enabling%20backup.%20The%20Authenticator%20app%20uses%20a%20strong%20authentication%20token%20to%20request%20a%20256-bit%20key%20from%20an%20internal%20Microsoft%20account%20key%20service.%20The%20app%20receives%20this%20key%20and%20a%20retrieval%20id%20(Key%20ID)%20from%20the%20key%20service.%20The%20Authenticator%20uses%20the%20key%20to%20create%20an%20encrypted%20%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc7516%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EJSON%20Web%20Encryption%3C%2FA%3E%20blob%20(JWE)%20using%20%3CA%20href%3D%22https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FAdvanced_Encryption_Standard%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EAES-256%3C%2FA%3E%20The%20information%20contained%20varies%20based%20on%20what%20accounts%20the%20Authenticator%E2%80%99s%20owner%20has%20configured.%20For%20all%20accounts%2C%20the%20Authenticator%20encrypts%20relevant%20metadata%20about%20the%20account%20such%20as%3A%20Backup%20creation%20time%20Account%20system%20Username%20Credential%20types%20(e.g.%20Phone%20Sign-In%2C%20TOTP)%20For%20OATH%20TOTP%20accounts%20(including%20personal%20Microsoft%20account%20and%20third%20party)%2C%20the%20JWE%20also%20includes%20the%20shared%20secret%20used%20in%20TOTP.%20The%20data%20above%20is%20also%20hashed%20with%20%3CA%20href%3D%22https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSHA-2%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESHA%3C%2FA%3E-512%20to%20protect%20against%20theft%20and%20tampering%20and%20this%20hash%20is%20added%20to%20the%20JWE.%20The%20JWE%20and%20the%20Key%20ID%20are%20then%20uploaded%20to%20the%20appropriate%20cloud%20storage%3A%20For%20Android%20devices%2C%20they%20are%20stored%20in%20Microsoft%E2%80%99s%20cloud%20storage%20provider%20and%20tied%20to%20the%20user%E2%80%99s%20personal%20Microsoft%20account.%20For%20iOS%20devices%2C%20they%20are%20stored%20in%20iCloud%20and%20tied%20to%20the%20user%E2%80%99s%20Apple%20account.%3CBR%20%2F%3E%3CBR%20%2F%3E%20Restore%3CP%3EAfter%20the%20backup%20has%20been%20successfully%20created%2C%20the%20user%20can%20restore%20their%20Microsoft%20Authenticator%20accounts%20on%20a%20new%20device.%20Here%20are%20the%20steps%3A%3C%2FP%3EThe%20user%20starts%20the%20recovery%20process%20by%20clicking%20on%20%E2%80%9CBegin%20Recovery%E2%80%9D%20on%20the%20home%20screen%20of%20the%20app.%20The%20user%20is%20required%20to%20sign%20into%20the%20account%20they%20used%20to%20create%20the%20backup%20in%20step%202%20after%20which%20the%20app%20retrieves%20the%20JWE%20and%20key%20ID%20stored%20in%20step%204%20from%20the%20appropriate%20cloud%20storage%20%E2%80%93%20Microsoft%E2%80%99s%20cloud%20storage%20provider%20(Android%20devices)%20or%20iCloud%20(iOS%20devices).%20The%20Authenticator%20app%20uses%20a%20strong%20authentication%20token%20and%20the%20Key%20ID%20to%20retrieve%20the%20key%20from%20the%20Microsoft%20account%20key%20service.%20Using%20the%20key%2C%20the%20Authenticator%20decrypts%20the%20JWE%20and%20verifies%20its%20integrity%20using%20the%20hash%20from%20step%203c.%20The%20contents%20of%20the%20accounts%20stored%20in%20the%20JWE%20are%20used%20to%20populate%20the%20application%2C%20and%20the%20user%20can%20see%20their%20accounts%20in%20the%20app.%20OATH%20TOTP%20accounts%20(from%203b)%20are%20fully%20setup%20as%20the%20shared%20secret%20has%20been%20restored.%20For%20all%20other%20accounts%20displayed%2C%20the%20user%20must%20authenticate%20to%20create%20a%20new%20public%2Fprivate%20keypair%20on%20the%20device%20and%20re-register%20each%20account%E2%80%99s%20public%20key%20for%20the%20new%20Authenticator%20instance.%3CBR%20%2F%3E%3CBR%20%2F%3E%20Backup%20and%20Recovery%20Diagram%3CP%3EWhat%E2%80%99s%20life%20without%20a%20little%20UML%3F%20Here%E2%80%99s%20a%20picture%20encapsulating%20the%20flow%20described%20above.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3ESummary%3CP%3EHopefully%20this%20helps%20you%20understand%20the%20mechanics%20behind%20our%20secure%20backup%20and%20restore%20process%20for%20Microsoft%20Authenticator.%20If%20you%20have%20any%20more%20questions%2C%20check%20out%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fmulti-factor-authentication%2Fend-user%2Fmicrosoft-authenticator-app-backup-and-recovery%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Authenticator%20docs%3C%2FA%3E%20or%20ping%20me%20at%20%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Falex_t_weinert%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3E%40alex_t_weinert%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStay%20safe%20out%20there!%3CBR%20%2F%3E-%20Alex%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1006678%22%20slang%3D%22en-US%22%3E%3CP%3ELet%E2%80%99s%20dive%20in%20with%20%E2%80%9Chow%20stuff%20works%E2%80%9D%20%E2%80%93%20focusing%20on%20the%20Microsoft%20Authenticator%E2%80%99s%20backup%20and%20restore%20feature.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1006678%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2090391%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2090391%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20anyway%20to%20restore%20older%20backups%20aside%20from%20my%20current%20one%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2091267%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2091267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F681982%22%20target%3D%22_blank%22%3E%40gruppenrichtlinien%3C%2FA%3E%26nbsp%3Byou%20can%20view%20your%20data%20by%20signing%20into%20Edge%20desktop%2C%20mobile%2C%20use%20Authenticator%20app%20on%20mobile%2C%20use%20Autofill%20extension%20from%20Chrome%20browser%20available%20for%20Chrome.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2091631%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2091631%22%20slang%3D%22en-US%22%3E%3CP%3EAndroid%3A%3C%2FP%3E%3CP%3EI%20have%202%20MS%20Authenticator%20installed%3A%20one%20for%20private%20use%2C%20another%20for%20company%20use%20in%20Work%20Profile.%3C%2FP%3E%3CP%3EThe%20private%26nbsp%3BAuthenticator%20backup%20is%20working%20OK%2C%20the%20company%26nbsp%3BAuthenticator%20-%20requires%20private%20MS%20account%20-%20it%20is%20a%20no-no%20in%20work%20profile%20-%20so%20no%20backup%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2091691%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2091691%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3BIs%20there%20anyway%20I%20can%20view%20previous%20cloud%20backups%20for%20microsoft%20authenicator%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2091900%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2091900%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F940213%22%20target%3D%22_blank%22%3E%40HunterHero1234%3C%2FA%3E%26nbsp%3Bby%20previous%20do%20you%20mean%20deleted%20content%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2091904%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2091904%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3BYeah%20basically%20is%20there%20a%20way%20to%20restore%20deleted%20auth%20keys%2C%20or%20previous%20cloud%20backups%2Folder%20backups%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093301%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F940213%22%20target%3D%22_blank%22%3E%40HunterHero1234%3C%2FA%3E%26nbsp%3BI%20don't%20think%20so%2C%20I%20read%20the%20Microsoft%20Docs%20section%20about%20it%20but%20couldn't%20find%20anything%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fuser-help%2Fuser-help-auth-app-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fuser-help%2Fuser-help-auth-app-overview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2109317%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109317%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20was%20told%20to%20contact%20the%20microsoft%20data%20protection%20team%20to%20ask%20about%20my%20data%20idk%20if%20they%20can%20help%20tho%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2109469%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109469%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F940213%22%20target%3D%22_blank%22%3E%40HunterHero1234%3C%2FA%3E%26nbsp%3BWell%20give%20it%20a%20try%2C%20hope%20for%20the%20best%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2196242%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2196242%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20rather%20disappointed%20it%20can't%20restore%20the%2020%20or%20so%20work%20MFA%20accounts%20I%20have%2C%20and%20that%20it%20can't%20do%20cross%20platform%20restore.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2202925%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2202925%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F758374%22%20target%3D%22_blank%22%3E%40Jules22%3C%2FA%3E%26nbsp%3BYour%20observations%20regarding%20the%20backup%20not%20being%20updated%20appear%20to%20be%20correct%3A%20I%20noticed%20the%20same%20thing%2C%20and%20I've%20since%20confirmed%20that%20the%20backup%20is%20not%20updated%20automatically.%20(I%20installed%20the%20app%20on%20another%20phone%2C%20and%20restored%20from%20the%20backup%2C%20and%20the%20backup%20only%20contained%20the%20entries%20saved%20when%20I%20first%20enabled%20backups.%20I%20repeated%20this%20test%20two%20more%20times%2C%20adding%20and%20removing%20a%20fake%20entry%2C%20with%20only%20manual-backup-deletion-and-recreation%20transferring%20the%20changes.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20yes%2C%20the%20statement%20about%20the%20backup%20being%20automatically%20updated%20as%20you%20add%2Fremove%20entries%20is%20just%20plain%20wrong.%20(at%20least%20on%20Android)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20probably%20the%20source%20of%20some%20reviews%20on%20the%20Play%20Store%20about%20the%20backup%20not-working%2Fbeing-empty%20--%20the%20app%20doesn't%20make%20it%20clear%20that%20you%20have%20to%20manually%20delete-and-recreate%20the%20backup%20each%20time%20you%20make%20a%20change.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2375417%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2375417%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20deleted%20by%20error%20the%20Microsoft%20Authenticator%20App%20from%20my%20Android.%3C%2FP%3E%3CP%3EI%20try%20to%20reinstall%20it%20now.%3C%2FP%3E%3CP%3EEither%20I%20use%20the%20restore%20and%20back-up%20or%20ad%20my%20former%20account%2C%20I%20always%20have%20to%20identify.%3C%2FP%3E%3CP%3EBut%20the%20App%20gives%20an%20old%20email%20address%20and%20telephone%20number%20which%20are%20not%20in%20use%20anymore...%3C%2FP%3E%3CP%3ENo%20way%20to%20get%20around%20so%20I%E2%80%99m%20blocked%2C%20even%20to%20enter%20my%20Microsoft%20Account.%3C%2FP%3E%3CP%3EAnyone%20a%20solution%3F%3C%2FP%3E%3CP%3EThanks%20a%20lot%2C%3C%2FP%3E%3CP%3EWim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2375433%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2375433%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20a%20solution%20I%20find%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExisting%20Microsoft%20Authenticator%20accounts%3A%20If%20you%20have%20already%20set%20up%20accounts%20in%20the%20Microsoft%20Authenticator%20app%2C%20the%20app%20cannot%20restore%20your%20backup%20account.%20Preventing%20recovery%20ensures%20that%20your%20account%20information%20is%20not%20overwritten%20with%20outdated%20information.%20In%20this%20case%2C%20you%20must%20delete%20the%20existing%20account%20information%20from%20the%20existing%20accounts%20set%20up%20in%20the%20authenticator%20app%20before%20you%20can%20restore%20your%20backup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20should%20delete%20the%20account%20data%20but%20I%20don't%20see%20how%20to%20do%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2392263%22%20slang%3D%22de-DE%22%3ESubject%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2392263%22%20slang%3D%22de-DE%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3EI%20use%20a%20company%20IPhone%20and%20for%20this%20it%20is%20forbidden%20(and%20disabled%20by%20IT)%20to%20use%20iCloud.%20So%20did%20you%20guys%20consider%20this%20somehow%3F%20is%20there%20another%20option%20to%20just%20backup%20it%20to%20my%20laptop%20and%20restore%20it%20from%20there%3F%20Or%20using%20your%20OneDrive%20Cloud%3F%26nbsp%3B%3CBR%20%2F%3EBecause%20I%20have%20several%20accounts%20linked%20there%20and%20it%20will%20be%20very%20annoying%20to%20disable%20and%20reenable%20all%20of%20them%20manually.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2455144%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2455144%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20facing%20the%20same%20issue%20as%20AVRM91%20(iCloud%20blocked%20on%20managed%20iPhone).%20Additionally%2C%20I'd%20like%20to%20import%20a%20backup%20made%20with%20the%20authenticator%20on%20Android%2C%20on%20iOS.%20Why%20isn't%20it%20possible%20to%20select%20OneDrive%20as%20source%20when%20restoring%20a%20backup%20on%20iOS%3F%26nbsp%3B%20Even%20if%20iCloud%20wasn't%20blocked%2C%20I%20wouldn't%20be%20able%20to%20restore%20the%20backup%20on%20iOS%20as%20on%20iOS%2C%20only%20iCloud%20is%20supported.%26nbsp%3B%20Would%20it%20be%20possible%20to%20change%20that%20in%20a%20future%20version%3F%26nbsp%3B%20Even%20an%20option%20to%20import%20an%20offline%20backup%20would%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2573329%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2573329%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20solution%20for%20backing%20up%20locally%20or%20otherwise%20when%20a%20corporate%20managed%20IPhone%20does%20not%20allow%20icloud%20backup%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2663701%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2663701%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20also%20need%20to%20know%20that.%3C%2FP%3E%3CP%3EWe%20have%20Apple%20DEP%20phones%20that%20do%20not%20need%20an%20account%26nbsp%3B%40%20Apple%20and%20we%20like%20to%20keep%20it%20that%20way.%3C%2FP%3E%3CP%3EAlso%20-%20corporate%20accounts%20should%20not%20be%20on%20private%20storage.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2785851%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2785851%22%20slang%3D%22en-US%22%3E%3CP%3ERecovery%20doesn%E2%80%99t%20work%20on%20iOS.%20Restored%20an%20iOS%20device%20a%20few%20months%20ago%2C%20and%20just%20transferred%20to%20a%20new%20iphone.%20Both%20times%20the%20%E2%80%9Cstart%20recovery%E2%80%9D%20process%20failed%20complaining%20that%20no%20iCloud%20backup%20existed.%20Triple-checked%20backup%20was%20on%20and%20up%20to%20date%20before%20proceeding%20both%20times.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EFrom%20the%20logs%20it%20looks%20like%20the%20app%20is%20deleting%20the%20backup%20on%20first%20run%20when%20it%20detects%20no%20account%20signed%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2021-09-24%2021%3A21%3A20.750%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3EVERB%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3EPhoneFactor%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E0%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3ETID%3D13%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E219%20(updateCloudBackupIfNeeded())%20There%20is%20MSA%20backup%20metadata%2C%20but%20the%20MSA%20account%20is%20gone.%20Delete%20backup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2021-09-24%2021%3A21%3A20.750%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3EVERB%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3EPhoneFactor%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E0%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3ETID%3D13%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E148%20(deleteBackup(backupName%3AcompletionHandler%3AerrorHandler%3A))%20Deleting%20backup%20with%20name%20Backup%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2021-09-24%2021%3A21%3A20.751%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3EVERB%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3EPhoneFactor%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E0%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3ETID%3D13%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3C%2FSPAN%3E113%20(delete(containerIdentifier%3AcompletionHandler%3AerrorHandler%3A))%20Deleting%20a%20CloudKitContainer%20with%20name%3ABackup%20type%3AMicrosoftAuthenticatorBackup%20from%20the%20CloudKit%20storage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESubmitted%20a%20ticket%20through%20the%20App%2C%20hopefully%20someone%20is%20looking%20into%20this%2C%20but%20I%E2%80%99d%20say%20it%E2%80%99s%20not%20been%20working%20for%20several%20months.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2947382%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2947382%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20my%20MS%20Auth%20App%20backed%20up%20on%20an%20iphone%2012.%26nbsp%3B%20I%20use%20it%20for%20an%20Office%20365%20work%20account.%26nbsp%3B%20I%20read%20that%20if%20I%20restore%20to%20a%20new%20phone%2C%20for%20the%20work%20account%20it%20will%20ask%20me%20to%20scan%20the%20bar%20code.%26nbsp%3B%20To%20get%20that%20bar%20code%2C%20I%20need%20to%20log%20into%20the%20365%20account%20and%20setup%20MFA%20again.%26nbsp%3B%20If%20I%20need%20MFA%20to%20log%20in%2C%20how%20do%20I%20get%20in%20if%20I%20don't%20have%20the%20old%20phone%3F%26nbsp%3B%20I%20am%20not%20in%20this%20situation%20but%20curious%20what%20if%20I%20no%20longer%20had%20access%20to%20the%20old%20phone%20(lost%20or%20broke)%20and%20had%20to%20get%20a%20new%20one%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2948628%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2948628%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1209679%22%20target%3D%22_blank%22%3E%40rincman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAsk%20your%20IT%20to%20reset%20your%20MFA%20Auth%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2949559%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2949559%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F533323%22%20target%3D%22_blank%22%3E%40StephanGee%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%20I%20am%20the%20IT%20%3A).%26nbsp%3B%20Only%20me%20and%20three%20other%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3069779%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3069779%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283216%22%20target%3D%22_blank%22%3E%40Sergg%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Your%20earlier%20comment%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Does%20the%20backup%20and%20restore%20defy%20the%20point%20of%20MFA%20authentication%3F%20This%20process%20does%20potentially%20allows%20cloning%20Authenticator%20app%20into%20a%20secondary%20phone%20(with%20or%20without%20primary%20phone%20owner%20knowledge)%20and%20therefore%20defies%20the%20non-repudiation%20principals.%20What%20is%20the%20protection%20for%20the%20backup%20file%20of%20the%20authenticator%3F%20Microsoft%20Authenticator%20recommends%20using%20%22Microsoft%20Live%22%20account%20that%20is%20a%20personal%20account%20plus%20TEXT%2FCall%2FEmail%20code%20for%20authentication.%20But%20all%20those%20methods%20will%20not%20stop%20from%20backing-up%20unlocked%20phone...%3C%2FP%3E%3CP%3EIs%20there%20in-app%20%2F%20server%20feature%20to%20detect%20two%20authenticator%20apps%20running%20simultaneously%20on%20the%20different%20phones%3F%3C%2FP%3E%3CP%3EP.S.%20There%20was%20always%20an%20option%20to%20clone%20an%20authenticator%20if%20initial%20QR%20code%20intercepted.%20But%20this%20was%20only%20limited%20to%20onboarding%20phase.%20Backup%20and%20restore%20opens%20an%20opportunity%20to%20get%20all%20the%20accounts%20cloned.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Others%20sharing%20your%20view%3CBR%20%2F%3E*%20What%20seems%20to%20be%20the%20very%20vulnerability%20that%20you%20describe%20dawned%20on%20me%20as%20a%20possibility%20this%20morning%3C%2FP%3E%3CP%3E*%20I%20searched%20the%20internet%20to%20see%20if%20anyone%20else%20has%20this%20concern%3B%20that%20search%20led%20me%20to%20your%20comment%3C%2FP%3E%3CP%3E*%20Given%20the%20magnitude%20of%20the%20vulnerability%2C%20I%20am%20surprised%20no%20one%20else%20on%20this%20thread%20seems%20to%20have%20replied%20to%20your%20comment%3C%2FP%3E%3CP%3E*%20On%20this%20thread...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fcloud-backup-and-recovery-for-the-microsoft-authenticator-app-on%2Fba-p%2F566369%22%20target%3D%22_blank%22%3ECloud%20backup%20and%20recovery%20for%20the%20Microsoft%20Authenticator%20app%20on%20Android%20now%20available%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19218%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3Eseems%20to%20have%20identified%20the%20same%20point%20as%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20Away%20from%20this%20community%2C%20at%20least%20one%20other%20person%20seems%20to%20have%20the%20same%20concern%20as%20you%20highlight%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.transmitsecurity.com%2Fblog%2Fmicrosoft-authenticator-a-false-sense-of-security%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EMicrosoft%20Authenticator%3A%20A%20False%20Sense%20Of%20Security%3F%20-%20Transmit%20Security%20Blog%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E3)%20Is%20the%20Authenticator%20backups%20vulnerability%20potentially%20even%20greater%3F%20(Please%2C%20anyone%20feel%20free%20to%20correct%20me%20if%20I%20am%20wrong)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20I%20suggest%20that%20since%20it%20seems%20a%20phished%20personal%20Microsoft%20is%20all%20that%20is%20required%20to%20for%20a%20hacker%20to%20steal%20all%20the%20MS%20Authenticator%20tokens%20that%20are%20cloud%20backed%20up%20to%20the%20personal%20Microsoft%20account%3C%2FP%3E%3CP%3E*%20What%20if%20one%20of%20the%20totp%20tokens%20backed%20up%20to%20the%20phished%20Microsoft%20account%2C%20is%20the%20the%20totp%20token%20for%20a%20password%20manager%20(e.g.%20Bitwarden%2C%20LastPass%2C%20NordPass)%3F%3C%2FP%3E%3CP%3E*%20If%20the%20MS%20personal%20account%20was%20phished%20by%20key%20logging%20malware%20on%20a%20device%2C%20then%20it's%20very%20possible%20that%20the%20login%20credentials%20for%20the%20password%20manager%20have%20also%20been%20stolen%20with%20the%20key%20logging%20malware%20(if%20the%20MS%20account%20and%20the%20password%20manager%20were%20logged%20into%20using%20the%20same%20infected%20device)%3F%3C%2FP%3E%3CP%3E*%20The%20stolen%20password%20manager%20credentials%20combined%20with%20the%20Authenticaor%20totp%20tokens%20stolen%20via%20the%20Authenticator%20backup%20process%20weakness%2C%20means%20criminals%20could%20then%20run%20riot%20with%20all%20the%20details%20stored%20in%20the%20password%20manager%20(including%20the%20accounts%20in%20the%20password%20manager%20that%20are%202FA%20protected%20with%20MS%20Authenticator)%3C%2FP%3E%3CP%3E*%20This%20is%20all%20the%20more%20ironic%20since%20my%20password%20manager%20vendor%20replied%20to%20an%20email%20I%20sent%20them%20trying%20to%20understand%20the%20risks%20of%20using%20a%20password%20manager%3C%2FP%3E%3CP%3E*%20The%20password%20manager%20vendor%20advises%20that%2C%20I%20should%20never%20install%20a%20password%20manager%20and%20any%202FA%20apps%20that%20protect%20the%20password%20manager%20on%20the%20same%20device%3C%2FP%3E%3CP%3E*%20That%20advice%20from%20the%20password%20manager%20seems%20to%20make%20sense%2C%20since%20keeping%20the%20password%20manager%20and%202FA%20app%20on%20separate%20devices%20acts%20as%20a%20firewall%20in%20case%20of%20data%20exfiltration%20malware%20inadvertently%20being%20installed%20on%20a%20device%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4)%20FX%20%26amp%3B%20Authy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20I%20use%20an%20online%20FX%20account%20that%20insist%20that%20the%20only%202FA%20app%20that%20they%20allow%20for%20their%20online%20account%20is%20Authy%3C%2FP%3E%3CP%3E*%20This%20seemed%20odd%20to%20me%20since%20Authy%20and%20numerous%20other%202FA%20apps%20used%20the%20same%20underlying%20totp%20technology%3C%2FP%3E%3CP%3E*%20I%20took%20this%20up%20with%20their%20tech%20support%20people%20approx%20a%20week%20ago%20(since%20I%20am%20seeking%20to%20steamline%20the%20totp%20apps%20that%20I%20use)%3C%2FP%3E%3CP%3E*%20They%20haven't%20yet%20given%20me%20a%20reply%20as%20yet%20on%20why%20Authy%20is%20the%20only%20totp%20app%20that%20they%20allow%3C%2FP%3E%3CP%3E*%20However%2C%20in%20light%20of%20the%20comments%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283216%22%20target%3D%22_blank%22%3E%40Sergg%3C%2FA%3E%20%26amp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19218%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3E%20%2C%20maybe%20I%20know%20(or%20do%20not%20know)%20why%20the%20insist%20on%20only%20Authy%3F%3C%2FP%3E%3CP%3E*%20In%20setting%20up%20Authy%20on%20an%20Android%20smartphone%20(I've%20never%20used%20iphone%20so%20can't%20comment%20re%20iphone)%2C%20the%201st%20thing%20Authy%20insists%20that%20you%20action%20when%20setting%20up%20Authy%20on%20a%20smartphone%2C%20is%20enter%20a%20%22Backups%20Password%22%3C%2FP%3E%3CP%3E*%20Unless%20the%20user%20adds%20a%20'Backups%20Password'%2C%20the%20user%20isn't%20given%20the%20option%20to%20add%20any%20accounts%20to%20Authy%20on%20the%20device%3C%2FP%3E%3CP%3E*%20Hence%2C%20a%20Backups%20Password%20must%20be%20added%20for%20Authy%20to%20be%20used%20on%20the%20device%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5)%20Has%20Authy%20the%20same%20vulnerability%20to%20hacking%20via%20cloud%20backups%20as%20MS%20Authenticator%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20The%20Authy%20Backups%20password%20could%20potentially%20be%20stolen%20via%20key%20logging%20malware%20on%20a%20smartphone%3C%2FP%3E%3CP%3E*%20However%2C%20there%20doesn't%20appear%20to%20be%20anywhere%20to%20login%20with%20that%20password%20(such%20as%20logging%20to%20the%20Authy%20website)%3C%2FP%3E%3CP%3E*%20Hence%2C%20even%20if%20keylogging%20malware%20steals%20my%20Authy%20Backups%20Password%20and%20so%20steals%20my%20Authy%20totp%20tokens%20from%20my%20smartphone%2C%20this%20on%20it's%20own%20doesn't%20threaten%20my%20password%20manager%20(since%20the%20password%20manager%20doesn't%20get%20accessed%20from%20the%20smartphone%20on%20which%20Authy%20is%20installed)%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20disect%3B%20constructive%20critique%20is%20welcomed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3069793%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3069793%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283216%22%20target%3D%22_blank%22%3E%40Sergg%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Your%20earlier%20comment%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Does%20the%20backup%20and%20restore%20defy%20the%20point%20of%20MFA%20authentication%3F%20This%20process%20does%20potentially%20allows%20cloning%20Authenticator%20app%20into%20a%20secondary%20phone%20(with%20or%20without%20primary%20phone%20owner%20knowledge)%20and%20therefore%20defies%20the%20non-repudiation%20principals.%20What%20is%20the%20protection%20for%20the%20backup%20file%20of%20the%20authenticator%3F%20Microsoft%20Authenticator%20recommends%20using%20%22Microsoft%20Live%22%20account%20that%20is%20a%20personal%20account%20plus%20TEXT%2FCall%2FEmail%20code%20for%20authentication.%20But%20all%20those%20methods%20will%20not%20stop%20from%20backing-up%20unlocked%20phone...%3C%2FP%3E%3CP%3EIs%20there%20in-app%20%2F%20server%20feature%20to%20detect%20two%20authenticator%20apps%20running%20simultaneously%20on%20the%20different%20phones%3F%3C%2FP%3E%3CP%3EP.S.%20There%20was%20always%20an%20option%20to%20clone%20an%20authenticator%20if%20initial%20QR%20code%20intercepted.%20But%20this%20was%20only%20limited%20to%20onboarding%20phase.%20Backup%20and%20restore%20opens%20an%20opportunity%20to%20get%20all%20the%20accounts%20cloned.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Others%20sharing%20your%20view%3A%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E*%20What%20seems%20to%20be%20the%20very%20vulnerability%20that%20you%20describe%20dawned%20on%20me%20as%20a%20possibility%20this%20morning%3C%2FP%3E%3CP%3E*%20I%20searched%20the%20internet%20to%20see%20if%20anyone%20else%20has%20this%20concern%3B%20that%20search%20led%20me%20to%20your%20comment%3C%2FP%3E%3CP%3E*%20Given%20the%20magnitude%20of%20the%20vulnerability%2C%20I%20am%20surprised%20no%20one%20else%20on%20this%20thread%20seems%20to%20have%20replied%20to%20your%20comment%3C%2FP%3E%3CP%3E*%20On%20this%20thread...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fcloud-backup-and-recovery-for-the-microsoft-authenticator-app-on%2Fba-p%2F566369%22%20target%3D%22_blank%22%3ECloud%20backup%20and%20recovery%20for%20the%20Microsoft%20Authenticator%20app%20on%20Android%20now%20available%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19218%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3Eseems%20to%20have%20identified%20the%20same%20point%20as%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20Away%20from%20this%20community%2C%20at%20least%20one%20other%20person%20seems%20to%20have%20the%20same%20concern%20as%20you%20highlight%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.transmitsecurity.com%2Fblog%2Fmicrosoft-authenticator-a-false-sense-of-security%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EMicrosoft%20Authenticator%3A%20A%20False%20Sense%20Of%20Security%3F%20-%20Transmit%20Security%20Blog%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E3)%20Is%20the%20Authenticator%20backups%20vulnerability%20potentially%20even%20greater%3F%20(Please%2C%20anyone%20feel%20free%20to%20correct%20me%20if%20I%20am%20wrong)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20I%20suggest%20that%20since%20it%20seems%20a%20phished%20personal%20Microsoft%20is%20all%20that%20is%20required%20to%20for%20a%20hacker%20to%20steal%20all%20the%20MS%20Authenticator%20tokens%20that%20are%20cloud%20backed%20up%20to%20the%20personal%20Microsoft%20account%3C%2FP%3E%3CP%3E*%20What%20if%20one%20of%20the%20totp%20tokens%20backed%20up%20to%20the%20phished%20Microsoft%20account%2C%20is%20the%20the%20totp%20token%20for%20a%20password%20manager%20(e.g.%20Bitwarden%2C%20LastPass%2C%20NordPass)%3F%3C%2FP%3E%3CP%3E*%20If%20the%20MS%20personal%20account%20was%20phished%20by%20key%20logging%20malware%20on%20a%20device%2C%20then%20it's%20very%20possible%20that%20the%20login%20credentials%20for%20the%20password%20manager%20have%20also%20been%20stolen%20with%20the%20key%20logging%20malware%20(if%20the%20MS%20account%20and%20the%20password%20manager%20were%20logged%20into%20using%20the%20same%20infected%20device)%3F%3C%2FP%3E%3CP%3E*%20The%20stolen%20password%20manager%20credentials%20combined%20with%20the%20Authenticaor%20totp%20tokens%20stolen%20via%20the%20Authenticator%20backup%20process%20weakness%2C%20means%20criminals%20could%20then%20run%20riot%20with%20all%20the%20details%20stored%20in%20the%20password%20manager%20(including%20the%20accounts%20in%20the%20password%20manager%20that%20are%202FA%20protected%20with%20MS%20Authenticator)%3C%2FP%3E%3CP%3E*%20This%20is%20all%20the%20more%20ironic%20since%20my%20password%20manager%20vendor%20replied%20to%20an%20email%20I%20sent%20them%20trying%20to%20understand%20the%20risks%20of%20using%20a%20password%20manager%3C%2FP%3E%3CP%3E*%20The%20password%20manager%20vendor%20advises%20that%2C%20I%20should%20never%20install%20a%20password%20manager%20and%20any%202FA%20apps%20that%20protect%20the%20password%20manager%20on%20the%20same%20device%3C%2FP%3E%3CP%3E*%20That%20advice%20from%20the%20password%20manager%20seems%20to%20make%20sense%2C%20since%20keeping%20the%20password%20manager%20and%202FA%20app%20on%20separate%20devices%20acts%20as%20a%20firewall%20in%20case%20of%20data%20exfiltration%20malware%20inadvertently%20being%20installed%20on%20a%20device%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4)%20Authy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20I%20use%20an%20online%20account%20that%20insist%20that%20the%20only%202FA%20app%20that%20they%20allow%20for%20their%20online%20account%20is%20Authy%3C%2FP%3E%3CP%3E*%20This%20seemed%20odd%20to%20me%20since%20Authy%20and%20numerous%20other%202FA%20apps%20use%20the%20same%20underlying%20totp%20technology%3C%2FP%3E%3CP%3E*%20I%20took%20this%20up%20with%20the%20tech%20support%20people%20of%20the%20online%20account%20approx%20a%20week%20ago%20(since%20I%20am%20seeking%20to%20steamline%20the%20totp%20apps%20that%20I%20use)%3C%2FP%3E%3CP%3E*%20They%20haven't%20yet%20given%20me%20a%20reply%20as%20yet%20on%20why%20Authy%20is%20the%20only%20totp%20app%20that%20they%20allow%3C%2FP%3E%3CP%3E*%20However%2C%20in%20light%20of%20the%20comments%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283216%22%20target%3D%22_blank%22%3E%40Sergg%3C%2FA%3E%20%26amp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19218%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3E%20%2C%20maybe%20I%20know%20(or%20do%20not%20know)%20why%20the%20insist%20on%20only%20Authy%3F%3C%2FP%3E%3CP%3E*%20In%20setting%20up%20Authy%20on%20an%20Android%20smartphone%20(I've%20never%20used%20iphone%20so%20can't%20comment%20re%20iphone)%2C%20the%201st%20thing%20Authy%20insists%20that%20you%20action%20when%20setting%20up%20Authy%20on%20a%20smartphone%2C%20is%20enter%20a%20%22Backups%20Password%22%3C%2FP%3E%3CP%3E*%20Unless%20the%20user%20adds%20a%20'Backups%20Password'%2C%20the%20user%20isn't%20given%20the%20option%20to%20add%20any%20accounts%20to%20Authy%20on%20the%20device%3C%2FP%3E%3CP%3E*%20Hence%2C%20a%20Backups%20Password%20must%20be%20added%20for%20Authy%20to%20be%20used%20on%20the%20device%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5)%20Has%20Authy%20the%20same%20vulnerability%20to%20hacking%20via%20cloud%20backups%20as%20MS%20Authenticator%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*%20The%20Authy%20Backups%20password%20could%20potentially%20be%20stolen%20via%20key%20logging%20malware%20on%20a%20smartphone%3C%2FP%3E%3CP%3E*%20However%2C%20there%20doesn't%20appear%20to%20be%20anywhere%20to%20login%20with%20that%20password%20(such%20as%20logging%20to%20the%20Authy%20website)%3C%2FP%3E%3CP%3E*%20Hence%2C%20even%20if%20keylogging%20malware%20steals%20my%20Authy%20Backups%20Password%20and%20so%20steals%20my%20Authy%20totp%20tokens%20from%20my%20smartphone%2C%20this%20on%20it's%20own%20doesn't%20threaten%20my%20password%20manager%20(since%20the%20password%20manager%20doesn't%20get%20accessed%20from%20the%20smartphone%20on%20which%20Authy%20is%20installed)%3C%2FP%3E%3CP%3E*%20If%20the%20Authy%20backups%20process%20is%20more%20secure%20than%20MS%20Authenticator%2C%20could%20MS%20Authenticator%20be%20developed%20further%20to%20include%20a%20Backups%20Password%3F%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20disect%3B%20constructive%20critique%20is%20welcomed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3069798%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3069798%22%20slang%3D%22en-US%22%3E%3CP%3E*%20The%20comments%20about%20being%20unable%20to%20backup%20to%20work%20or%20school%20Microsoft%20Accounts...%3C%2FP%3E%3CP%3E*%20For%20many%20(most%3F)%20people%2C%20school%20or%20work%20accounts%20are%20not%20lifelong%20accounts%20from%20the%20point%20of%20creation%3C%2FP%3E%3CP%3E*%20In%20other%20words%2C%20people%20move%20on%20in%20life%20and%20as%20they%20leave%20a%20school%20or%20employer%2C%20lose%20access%20to%20the%20email%20account%20that%20the%20school%20%2F%20employer%20provided%3C%2FP%3E%3CP%3E*%20Hence%2C%20if%20e.g.%20an%20ex-employer's%20work%20email%20account%20was%20used%20for%20cloud%20backup%20of%20MS%20Authenticator%202FA%20tokens%2C%20the%20user%20will%20be%20unable%20to%20access%20that%20email%20account%20when%20trying%20to%20recover%20backed%20up%20MS%20Autenticator%202FA%20tokens%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20or%20No%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3069802%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3069802%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20and%20No%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EWhy%20not%20make%20it%20easy%3C%2FP%3E%3CP%3Ethe%20Work%20Account%20is%20always%20synced%20with%20the%20users%20respective%20work%20profile.%20Like%20Edge%20Favorites%20and%20Passwords.%3C%2FP%3E%3CP%3EFor%20all%20the%20other%20accounts%20-%26gt%3B%20Personal%20OneDrive%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3069837%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3069837%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CSPAN%3EHi%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283216%22%20target%3D%22_blank%22%3E%40Sergg%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CP%3E%22Does%20the%20backup%20and%20restore%20defy%20the%20point%20of%20MFA%20authentication%3F%20This%20process%20does%20potentially%20allows%20cloning%20Authenticator%20app%20into%20a%20secondary%20phone%20(with%20or%20without%20primary%20phone%20owner%20knowledge)%20and%20therefore%20defies%20the%20non-repudiation%20principals.%20What%20is%20the%20protection%20for%20the%20backup%20file%20of%20the%20authenticator%3F%20Microsoft%20Authenticator%20recommends%20using%20%22Microsoft%20Live%22%20account%20that%20is%20a%20personal%20account%20plus%20TEXT%2FCall%2FEmail%20code%20for%20authentication.%20But%20all%20those%20methods%20will%20not%20stop%20from%20backing-up%20unlocked%20phone...%3C%2FP%3E%3CP%3EIs%20there%20in-app%20%2F%20server%20feature%20to%20detect%20two%20authenticator%20apps%20running%20simultaneously%20on%20the%20different%20phones%3F%3C%2FP%3E%3CP%3EP.S.%20There%20was%20always%20an%20option%20to%20clone%20an%20authenticator%20if%20initial%20QR%20code%20intercepted.%20But%20this%20was%20only%20limited%20to%20onboarding%20phase.%20Backup%20and%20restore%20opens%20an%20opportunity%20to%20get%20all%20the%20accounts%20cloned.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20replied%20to%20your%20point%20in%20this%20thread%20where%20someone%20else%20has%20raised%20a%20similar%20point%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fcloud-backup-and-recovery-for-the-microsoft-authenticator-app-on%2Fbc-p%2F3072190%23M3985%22%20target%3D%22_blank%22%3ECloud%20backup%20and%20recovery%20for%20the%20Microsoft%20Authenticator%20app%20on%20Android%20now%20available%20-%20Page%202%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3218593%22%20slang%3D%22en-US%22%3ERe%3A%20How%20it%20works%3A%20Backup%20and%20restore%20for%20Microsoft%20Authenticator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3218593%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20recovering%20to%20a%20new%20phone%2C%20I%20need%20to%20reapply%20a%20new%20QR%20code%20for%20each%20of%20my%2040%20accounts.%20What's%20the%20point%20of%20a%20backup%20if%20I%20have%20to%20spend%20hours%20to%20reapply%20a%20QR%20code%3F%20Doesn't%20make%20sense%20and%20the%20whole%20backup%20and%20recovery%20is%20useless%20and%20totally%20pointless.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jul 24 2020 01:29 AM
Updated by: