Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
How it works: Backup and restore for Microsoft Authenticator
Published Nov 13 2019 01:00 PM 146K Views
Microsoft

Hello! With the dust settling from Ignite 2019, let’s dive in with “how stuff works” – focusing on the Microsoft Authenticator’s backup and restore feature.

 

Earlier this year we released the Microsoft Authenticator backup and restore feature on iOS and Android, which lets you easily move your accounts on the Authenticator app to a new device. Some folks have asked how we secure this process – in this blog, we’ll deep dive into how it works.

In the descriptions below, a “strong authentication token” means the user has authenticated using multi factor authentication - for example, they used a password and then entered a code sent to their phone or email or signed in with Windows Hello or a FIDO token, depending on the factors they have previously enabled.

 

Overview of how the Microsoft Authenticator works

The Microsoft Authenticator supports a variety of authentication mechanisms to support Microsoft consumer, work and school accounts in different modes, as well as any account which supports the OATH TOTP standard.

 

For accounts using the OATH TOTP standard, there is a shared secret stored both in the Authenticator app and in the identity provider.

 

For accounts using other mechanisms, the Authenticator creates a public/private keypair in a hardware backed storage (e.g. the Keychain on iOS and Keystore on Android) and exports the public key to Microsoft’s login server. The private key never leaves the device when a user is using the backup or restore features of their Authenticator app or when using the operating system app restore features.

 

Backup

To restore Microsoft Authenticator accounts on a new device, the user must first back up their current device. Here are the steps.

  1. The user starts the backup process by clicking on the menu, going to settings, and enabling backup.
  2. The Authenticator app uses a strong authentication token to request a 256-bit key from an internal Microsoft account key service. The app receives this key and a retrieval id (Key ID) from the key service.
  3. The Authenticator uses the key to create an encrypted JSON Web Encryption blob (JWE) using AES-256 The information contained varies based on what accounts the Authenticator’s owner has configured.
    1. For all accounts, the Authenticator encrypts relevant metadata about the account such as:
      1. Backup creation time
      2. Account system
      3. Username
      4. Credential types (e.g. Phone Sign-In, TOTP)
    2. For OATH TOTP accounts (including personal Microsoft account and third party), the JWE also includes the shared secret used in TOTP.
    3. The data above is also hashed with SHA-512 to protect against theft and tampering and this hash is added to the JWE.
  1. The JWE and the Key ID are then uploaded to the appropriate cloud storage:
    1. For Android devices, they are stored in Microsoft’s cloud storage provider and tied to the user’s personal Microsoft account.
    2. For iOS devices, they are stored in iCloud and tied to the user’s Apple account.

Restore

After the backup has been successfully created, the user can restore their Microsoft Authenticator accounts on a new device. Here are the steps:

  1. The user starts the recovery process by clicking on “Begin Recovery” on the home screen of the app.
  2. The user is required to sign into the account they used to create the backup in step 2 after which the app retrieves the JWE and key ID stored in step 4 from the appropriate cloud storage – Microsoft’s cloud storage provider (Android devices) or iCloud (iOS devices).
  3. The Authenticator app uses a strong authentication token and the Key ID to retrieve the key from the Microsoft account key service.
  4. Using the key, the Authenticator decrypts the JWE and verifies its integrity using the hash from step 3c.
  5. The contents of the accounts stored in the JWE are used to populate the application, and the user can see their accounts in the app.
    1. OATH TOTP accounts (from 3b) are fully setup as the shared secret has been restored.
    2. For all other accounts displayed, the user must authenticate to create a new public/private keypair on the device and re-register each account’s public key for the new Authenticator instance.

Backup and Recovery Diagram

What’s life without a little UML? Here’s a picture encapsulating the flow described above.

 

Auth Backup and Restore.PNG

 

Summary

Hopefully this helps you understand the mechanics behind our secure backup and restore process for Microsoft Authenticator. If you have any more questions, check out our Microsoft Authenticator docs or ping me at @alex_t_weinert.

 

Stay safe out there!
- Alex

 

51 Comments

How about between iOS and Android?

Copper Contributor

Hello @Alex Weinert , how are you ? :smile:

 

I did the test below and it didn't work for this use case (iPhone full restore from iCloud). The restore is only working if I delete the app and reinstall in the same device or moving between devices, but not when I perform a full iPhone restore in the same iPhone.

 

iOS 13.2.2 / iPhone 11

 

steps:

1) installed Microsoft Authenticator app

2) setup personal account (@hotmail.com)

3) added 2 records (facebook and google)

4) performed backup to iCloud using backup feature of Microsoft authenticator app

5) performed iPhone backup using iOS iCloud feature

6) reinstall iPhone using iCloud backup

 

After the restore, I tried to follow the "Begin Recovery" procedures of Microsoft authenticator app, but I received the message that I don't have a backup available in my iCloud. But I have the backup.

 

Any ideas ?

 

Regards,

 

Weber Ress

Copper Contributor

I experienced exactly the same as Weber. But I found an iCloud 'switch' in the settings within authenticator, which was switched off. So an iCloud backup of your iPhone apparently doesn't backup the authenticator. I have now put this switch to 'on'.

I now have three account in the authenticator that will not give me any one time passwords. I'm still trying to get them to work without completely reinstalling the app. Any thoughts anyone?

 

Jeroen

Copper Contributor

In my use case, my iCloud account is w1xxxx@icloud.com and my personal MS account is w2xxxx@hotmail.com. Also, I've activated the iCloud backup within MS auth app.

 

[]'s !

 

Weber

Copper Contributor
I love the cloud backup feature, it saved between factory reset! Only thing would make this the best is for it to have a dark mode.
Copper Contributor

Has anyone successfully backed up and restored MS Auth when you switch MDM's?  

Copper Contributor

This is a good start, but in need of more work I think. Two major stumbling blocks for our adoption are

 

1) You can't backup to a work or school account.

2) You can't restore across platforms.

 

I could probably live without the first one (whilst grumbling), but it's dead in the water without the second. A backup you can't recover is hopeless.

 

Please someone tell me I'm missing something so I can apologise and get excited about this.

Copper Contributor

I was having issues with the sound and haptics on my iPhone and needed to do a reset and restore from iCloud. MSAuthenticator was set to back up to the cloud. I had moved all my accounts out of Google Authenticator because of the horror stories I had heard from people losing codes when getting a new phone or restoring. 

 

Now as it turns out, I ended up losing all the codes I had in MS Authenticator. When going to Recover Accounts, it only loads my account that was associated with the backups in iCloud that I assumed would be used to restore the codes. Ironically, all the codes I had in Authy and Google authenticator are all there without having had to do anything. Is there any way to get them back? Such a bummer.

 

I have been trying to decide between MS and Authy for a while now and it seems like the choice is now obvious which to go if you don't want to lose all your codes in the event of doing a restore on your phone. 

Iron Contributor

Quick question to Microsoft Team,

Does the backup and restore defy the point of MFA authentication? This process does potentially allows cloning Authenticator app into a secondary phone (with or without primary phone owner knowledge) and therefore defies the non-repudiation principals. What is the protection for the backup file of the authenticator? Microsoft Authenticator recommends using "Microsoft Live" account that is a personal account plus TEXT/Call/Email code for authentication. But all those methods will not stop from backing-up unlocked phone...

Is there in-app / server feature to detect two authenticator apps running simultaneously on the different phones?

P.S. There was always an option to clone an authenticator if initial QR code intercepted. But this was only limited to onboarding phase. Backup and restore opens an opportunity to get all the accounts cloned.

Copper Contributor

I've got a pretty basic issue with the Microsoft Authenticator - or maybe it's just the documentation/help.

 

To ensure I can recover from loss/theft/etc, I've turned on "Cloud backup" in the Authenticator app's settings on my android phone. The immediate question that comes to mind is whether this is a one-off backup, or whether MS Authenticator is going to keep "syncing" to the secure cloud-backup (linked to my MS account) all subsequent additions/changes/etc to the accounts I store in Authenticator. I assume it is an ongoing process because I "turn on" the cloud-backup rather than just "creating" it. But this is not confirmed in any MS documentation I have found - apart from one article in the Azure Active Directory Blog, which states:

 

"Once you turn cloud backup on, your data is encrypted and stored with your personal Microsoft account. Your account credentials stay updated when you add, delete, or edit your accounts."

 

However, if, in the Microsoft Authenticator app on my phone, I go to the backup settings and tap on "Details", it shows when the backup was "created" and when it was "last updated". The creation date-time is indeed when I tuned on Cloud-backup - but the "last updated" date-time is only 3 secs later, even though I have since added several 3rd party accounts to the Authenticator.

 

So what is going on? Is the Cloud-backup not working properly? Is the "last updated" info shown in the app just plain wrong? Or am I missing something? The devil's in the details - and if the details are wrong you can't really rely on the app.

Copper Contributor

To restore on android, just (re)install the app, don't add an account, just use skip a few times until you see the restore option.

Works also to install it on a second android device, just use your backup account from the first device in the restore option.

Copper Contributor

I’d like to restore from an older backup but Authenticator won’t let me. Is there a workaround?

Microsoft Authenticator is really the best authenticator app out there, I love this backup/restore functionality. when I was using other authenticator apps and I reset my phone, uninstalled the app, lost the phone etc, I had to go through the trouble of recovering each of my accounts

but with backup/restore feature none of them is necessary anymore.

 

I just wish Microsoft Authenticator had an app for Windows 10 too.

Copper Contributor

Servus Alex,

the question is:
[...] they are stored in Microsoft’s cloud storage provider and tied to the user’s personal Microsoft account.

WHERE? is this? How to view the data in my profile?

THX
Mark

Copper Contributor

Is there anyway to restore older backups aside from my current one?

@gruppenrichtlinien you can view your data by signing into Edge desktop, mobile, use Authenticator app on mobile, use Autofill extension from Chrome browser available for Chrome.

Deleted
Not applicable

Android:

I have 2 MS Authenticator installed: one for private use, another for company use in Work Profile.

The private Authenticator backup is working OK, the company Authenticator - requires private MS account - it is a no-no in work profile - so no backup :(

Copper Contributor

@HotCakeX Is there anyway I can view previous cloud backups for microsoft authenicator?

@HunterHero1234 by previous do you mean deleted content? 

Copper Contributor

@HotCakeX Yeah basically is there a way to restore deleted auth keys, or previous cloud backups/older backups

@HunterHero1234 I don't think so, I read the Microsoft Docs section about it but couldn't find anything

https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-overview

 

Copper Contributor

@HotCakeX

I was told to contact the microsoft data protection team to ask about my data idk if they can help tho

@HunterHero1234 Well give it a try, hope for the best

Copper Contributor

I'm rather disappointed it can't restore the 20 or so work MFA accounts I have, and that it can't do cross platform restore.

Copper Contributor

@Jules22 Your observations regarding the backup not being updated appear to be correct: I noticed the same thing, and I've since confirmed that the backup is not updated automatically. (I installed the app on another phone, and restored from the backup, and the backup only contained the entries saved when I first enabled backups. I repeated this test two more times, adding and removing a fake entry, with only manual-backup-deletion-and-recreation transferring the changes.)

 

So yes, the statement about the backup being automatically updated as you add/remove entries is just plain wrong. (at least on Android)

 

This is probably the source of some reviews on the Play Store about the backup not-working/being-empty -- the app doesn't make it clear that you have to manually delete-and-recreate the backup each time you make a change.

Copper Contributor

Hello,

I deleted by error the Microsoft Authenticator App from my Android.

I try to reinstall it now.

Either I use the restore and back-up or ad my former account, I always have to identify.

But the App gives an old email address and telephone number which are not in use anymore...

No way to get around so I’m blocked, even to enter my Microsoft Account.

Anyone a solution?

Thanks a lot,

Wim

Copper Contributor

As a solution I find this:

 

Existing Microsoft Authenticator accounts: If you have already set up accounts in the Microsoft Authenticator app, the app cannot restore your backup account. Preventing recovery ensures that your account information is not overwritten with outdated information. In this case, you must delete the existing account information from the existing accounts set up in the authenticator app before you can restore your backup.

 

So I should delete the account data but I don't see how to do that.

 

Thanks

Copper Contributor

Hello,

I use a company IPhone and for this it is forbidden (and disabled by IT) to use iCloud. Did you guys also consider this somehow? is there another option to just backup it to my Laptop and Restore it from there? Or using your OneDrive Cloud? 
Because I have several Accounts linked there and it will be very annoying to disable and reenable all of them manually.

Copper Contributor

Hello,

 

I'm facing the same issue as AVRM91 (iCloud blocked on managed iPhone). Additionally, I'd like to import a backup made with the authenticator on Android, on iOS. Why isn't it possible to select OneDrive as source when restoring a backup on iOS?  Even if iCloud wasn't blocked, I wouldn't be able to restore the backup on iOS as on iOS, only iCloud is supported.  Would it be possible to change that in a future version?  Even an option to import an offline backup would help.

Copper Contributor

Is there a solution for backing up locally or otherwise when a corporate managed IPhone does not allow icloud backup?

Steel Contributor

I would also need to know that.

We have Apple DEP phones that do not need an account @ Apple and we like to keep it that way.

Also - corporate accounts should not be on private storage.

Copper Contributor

Recovery doesn’t work on iOS. Restored an iOS device a few months ago, and just transferred to a new iphone. Both times the “start recovery” process failed complaining that no iCloud backup existed. Triple-checked backup was on and up to date before proceeding both times.

From the logs it looks like the app is deleting the backup on first run when it detects no account signed in.

 

2021-09-24 21:21:20.750         VERB                PhoneFactor    0          TID=13             219 (updateCloudBackupIfNeeded()) There is MSA backup metadata, but the MSA account is gone. Delete backup.

 

2021-09-24 21:21:20.750         VERB                PhoneFactor    0          TID=13             148 (deleteBackup(backupName:completionHandler:errorHandler:)) Deleting backup with name Backup

 

2021-09-24 21:21:20.751         VERB                PhoneFactor    0          TID=13             113 (delete(containerIdentifier:completionHandler:errorHandler:)) Deleting a CloudKitContainer with name:Backup type:MicrosoftAuthenticatorBackup from the CloudKit storage.

 

Submitted a ticket through the App, hopefully someone is looking into this, but I’d say it’s not been working for several months. 

Copper Contributor

I have my MS Auth App backed up on an iphone 12.  I use it for an Office 365 work account.  I read that if I restore to a new phone, for the work account it will ask me to scan the bar code.  To get that bar code, I need to log into the 365 account and setup MFA again.  If I need MFA to log in, how do I get in if I don't have the old phone?  I am not in this situation but curious what if I no longer had access to the old phone (lost or broke) and had to get a new one?

Steel Contributor

@rincman 

Ask your IT to reset your MFA Auth

Copper Contributor

@StephanGee 

Thanks. I am the IT :).  Only me and three other users.

Copper Contributor

Hi @Sergg

 

1) Your earlier comment:

 

"Does the backup and restore defy the point of MFA authentication? This process does potentially allows cloning Authenticator app into a secondary phone (with or without primary phone owner knowledge) and therefore defies the non-repudiation principals. What is the protection for the backup file of the authenticator? Microsoft Authenticator recommends using "Microsoft Live" account that is a personal account plus TEXT/Call/Email code for authentication. But all those methods will not stop from backing-up unlocked phone...

Is there in-app / server feature to detect two authenticator apps running simultaneously on the different phones?

P.S. There was always an option to clone an authenticator if initial QR code intercepted. But this was only limited to onboarding phase. Backup and restore opens an opportunity to get all the accounts cloned."

 

2) Others sharing your view:

 

* What seems to be the very vulnerability that you describe dawned on me as a possibility this morning

* I searched the internet to see if anyone else has this concern; that search led me to your comment

* Given the magnitude of the vulnerability, I am surprised no one else on this thread seems to have replied to your comment

* On this thread...

 

Cloud backup and recovery for the Microsoft Authenticator app on Android now available - Microsoft T...

 

@Jonas Backseems to have identified the same point as you

 

* Away from this community, at least one other person seems to have the same concern as you highlight

Microsoft Authenticator: A False Sense Of Security? - Transmit Security Blog


3) Is the Authenticator backups vulnerability potentially even greater? (Please, anyone feel free to correct me if I am wrong)

 

* I suggest that since it seems a phished personal Microsoft is all that is required to for a hacker to steal all the MS Authenticator tokens that are cloud backed up to the personal Microsoft account

* What if one of the totp tokens backed up to the phished Microsoft account, is the the totp token for a password manager (e.g. Bitwarden, LastPass, NordPass)?

* If the MS personal account was phished by key logging malware on a device, then it's very possible that the login credentials for the password manager have also been stolen with the key logging malware (if the MS account and the password manager were logged into using the same infected device)?

* The stolen password manager credentials combined with the Authenticaor totp tokens stolen via the Authenticator backup process weakness, means criminals could then run riot with all the details stored in the password manager (including the accounts in the password manager that are 2FA protected with MS Authenticator)

* This is all the more ironic since my password manager vendor replied to an email I sent them trying to understand the risks of using a password manager

* The password manager vendor advises that, I should never install a password manager and any 2FA apps that protect the password manager on the same device

* That advice from the password manager seems to make sense, since keeping the password manager and 2FA app on separate devices acts as a firewall in case of data exfiltration malware inadvertently being installed on a device

 

4) Authy

 

* I use an online account that insist that the only 2FA app that they allow for their online account is Authy

* This seemed odd to me since Authy and numerous other 2FA apps used the same underlying totp technology

* I took this up with the tech support people of the online account approx a week ago (since I am seeking to steamline the totp apps that I use)

* They haven't yet given me a reply as yet on why Authy is the only totp app that they allow

* However, in light of the comments by @Sergg & @Jonas Back , maybe I know (or do not know) why the insist on only Authy?

* In setting up Authy on an Android smartphone (I've never used iphone so can't comment re iphone), the 1st thing Authy insists that you action when setting up Authy on a smartphone, is enter a "Backups Password"

* Unless the user adds a 'Backups Password', the user isn't given the option to add any accounts to Authy on the device

* Hence, a Backups Password must be added for Authy to be used on the device

 

5) Has Authy the same vulnerability to hacking via cloud backups as MS Authenticator?

 

* The Authy Backups password could potentially be stolen via key logging malware on a smartphone

* However, there doesn't appear to be anywhere to login with that password (such as logging to the Authy website)

* Hence, even if keylogging malware steals my Authy Backups Password and so steals my Authy totp tokens from my smartphone, this on it's own doesn't threaten my password manager (since the password manager doesn't get accessed from the smartphone on which Authy is installed)

Please disect; constructive critique is welcomed.

Copper Contributor

Hi @Sergg

 

1) Your earlier comment:

 

"Does the backup and restore defy the point of MFA authentication? This process does potentially allows cloning Authenticator app into a secondary phone (with or without primary phone owner knowledge) and therefore defies the non-repudiation principals. What is the protection for the backup file of the authenticator? Microsoft Authenticator recommends using "Microsoft Live" account that is a personal account plus TEXT/Call/Email code for authentication. But all those methods will not stop from backing-up unlocked phone...

Is there in-app / server feature to detect two authenticator apps running simultaneously on the different phones?

P.S. There was always an option to clone an authenticator if initial QR code intercepted. But this was only limited to onboarding phase. Backup and restore opens an opportunity to get all the accounts cloned."

 

2) Others sharing your view:


* What seems to be the very vulnerability that you describe dawned on me as a possibility this morning

* I searched the internet to see if anyone else has this concern; that search led me to your comment

* Given the magnitude of the vulnerability, I am surprised no one else on this thread seems to have replied to your comment

* On this thread...

 

Cloud backup and recovery for the Microsoft Authenticator app on Android now available - Microsoft T...

 

@Jonas Backseems to have identified the same point as you

 

* Away from this community, at least one other person seems to have the same concern as you highlight

Microsoft Authenticator: A False Sense Of Security? - Transmit Security Blog


3) Is the Authenticator backups vulnerability potentially even greater? (Please, anyone feel free to correct me if I am wrong)

 

* I suggest that since it seems a phished personal Microsoft is all that is required to for a hacker to steal all the MS Authenticator tokens that are cloud backed up to the personal Microsoft account

* What if one of the totp tokens backed up to the phished Microsoft account, is the the totp token for a password manager (e.g. Bitwarden, LastPass, NordPass)?

* If the MS personal account was phished by key logging malware on a device, then it's very possible that the login credentials for the password manager have also been stolen with the key logging malware (if the MS account and the password manager were logged into using the same infected device)?

* The stolen password manager credentials combined with the Authenticaor totp tokens stolen via the Authenticator backup process weakness, means criminals could then run riot with all the details stored in the password manager (including the accounts in the password manager that are 2FA protected with MS Authenticator)

* This is all the more ironic since my password manager vendor replied to an email I sent them trying to understand the risks of using a password manager

* The password manager vendor advises that, I should never install a password manager and any 2FA apps that protect the password manager on the same device

* That advice from the password manager seems to make sense, since keeping the password manager and 2FA app on separate devices acts as a firewall in case of data exfiltration malware inadvertently being installed on a device

 

4) Authy

 

* I use an online account that insist that the only 2FA app that they allow for their online account is Authy

* This seemed odd to me since Authy and numerous other 2FA apps use the same underlying totp technology

* I took this up with the tech support people of the online account approx a week ago (since I am seeking to steamline the totp apps that I use)

* They haven't yet given me a reply as yet on why Authy is the only totp app that they allow

* However, in light of the comments by @Sergg & @Jonas Back , maybe I know (or do not know) why the insist on only Authy?

* In setting up Authy on an Android smartphone (I've never used iphone so can't comment re iphone), the 1st thing Authy insists that you action when setting up Authy on a smartphone, is enter a "Backups Password"

* Unless the user adds a 'Backups Password', the user isn't given the option to add any accounts to Authy on the device

* Hence, a Backups Password must be added for Authy to be used on the device

 

5) Has Authy the same vulnerability to hacking via cloud backups as MS Authenticator?

 

* The Authy Backups password could potentially be stolen via key logging malware on a smartphone

* However, there doesn't appear to be anywhere to login with that password (such as logging to the Authy website)

* Hence, even if keylogging malware steals my Authy Backups Password and so steals my Authy totp tokens from my smartphone, this on it's own doesn't threaten my password manager (since the password manager doesn't get accessed from the smartphone on which Authy is installed)

* If the Authy backups process is more secure than MS Authenticator, could MS Authenticator be developed further to include a Backups Password?

Please disect; constructive critique is welcomed.

Copper Contributor

* The comments about being unable to backup to work or school Microsoft Accounts...

* For many (most?) people, school or work accounts are not lifelong accounts from the point of creation

* In other words, people move on in life and as they leave a school or employer, lose access to the email account that the school / employer provided

* Hence, if e.g. an ex-employer's work email account was used for cloud backup of MS Authenticator 2FA tokens, the user will be unable to access that email account when trying to recover backed up MS Autenticator 2FA tokens

 

Yes or No?

Steel Contributor

Yes and No ;)

Why not make it easy

the Work Account is always synced with the users respective work profile. Like Edge Favorites and Passwords.

For all the other accounts -> Personal OneDrive

Copper Contributor
Hi @Sergg 

"Does the backup and restore defy the point of MFA authentication? This process does potentially allows cloning Authenticator app into a secondary phone (with or without primary phone owner knowledge) and therefore defies the non-repudiation principals. What is the protection for the backup file of the authenticator? Microsoft Authenticator recommends using "Microsoft Live" account that is a personal account plus TEXT/Call/Email code for authentication. But all those methods will not stop from backing-up unlocked phone...

Is there in-app / server feature to detect two authenticator apps running simultaneously on the different phones?

P.S. There was always an option to clone an authenticator if initial QR code intercepted. But this was only limited to onboarding phase. Backup and restore opens an opportunity to get all the accounts cloned."

 

I've replied to your point in this thread where someone else has raised a similar point:

 

Cloud backup and recovery for the Microsoft Authenticator app on Android now available - Page 2 - Mi...

Copper Contributor

After recovering to a new phone, I need to reapply a new QR code for each of my 40 accounts. What's the point of a backup if I have to spend hours to reapply a QR code? Doesn't make sense and the whole backup and recovery is useless and totally pointless.

 

 

Copper Contributor

@HotCakeX  

I accidentally replaced my backup with an empty one. is there any way I can restore an old backup?

@Sherazawan if you have Microsoft Authenticator on a device with the old stuff, you can turn on back up from there. if you no longer have the app on any of your devices with the old data and you replaced your backup with an empty one then I don't think you can get your previous backup.

Copper Contributor
Before, my mobile reset itself and factory restore.  Make the Facebook app data and Microsoft authenticator   was deleted  and when I login to facebook they ask a two-step security code from the Microsoft authenticator app.  But I can't login to that app.  because my login account is missing  And I can't recover my account.  I would like your help to cancel the two-step security code.  because I want to access my facebook
 
 Thank you and please help
 
Kanchalee P.
Copper Contributor

Why can't I backup to my own personal business account?

Copper Contributor

Also overwrote a good backup with blank one because there are no safeguards preventing you from doing so.  Maybe a prompt that says, "A backup already exists, are you sure you want to overwrite?" would go a long way from preventing this nightmare.  What a piece of junk.  #MeToo

Brass Contributor

Hello @Alex Weinert 

I am a Microsoft 365 Global Admin for my company.   I am facing a very frustrating situation with a Microsoft Authenticator backup/restore issue. 

I recently migrated to a new phone.   I turned on the Authenticator backup on the old phone and logged into my personal Microsoft account and did the MSA backup.   I was able to restore to the new phone after using signing into my personal Microsoft account, where I only had a single MFA method setup - SMS.  

I then added what I thought would be a more secure MFA method to my personal Microsoft account:  Authenticator number matching, and one additional method for good measure:  email. 

A couple of weeks later, I discovered that I have a faulty camera on the new phone and the manufacturer had me jump through numerous hoops before they would do an RMA.  One hoop was a factory reset.  I once again did Authenticator backup.    After the factory reset, I installed Microsoft Authenticator and attempted to restore from backup.   I had to login to my personal Microsoft account.  It required a number match in Authenticator, which of course was not yet available.  But since I have two alternate MFA methods set up for my personal account, email and text, I proceeded with clicking the "I don't have access to my Microsoft Authenticator app" link.  I selected the text method.  I was then asked for a second form of MFA and I chose the email method.  I mistyped my email confirmation... The second time I correctly confirmed my email, I get a message that I have requested too many codes and that I have to "wait until tomorrow"   

WTH!

I am really expected to wait 24 hours before I can restore the Microsoft Authenticator data from my personal Microsoft account?  

 

There are many job responsibilities I am unable to perform today due to this situation.  It's a catch 22 situation that Microsoft as a whole has created, although I am sure it's also a situation where the right-hand of MS (Enterprise) Identity Security is not fully aware of what the left-hand of MS (consumer) Identity Security is doing.  

Will we ever be able to backup Authenticator data with encryption to a local folder and then transfer to an attached computer.  (Like Signal does). 

Will we ever be able to backup Authenticator data to our Work/School accounts where we have paid subscriptions with nearly immediate support? 

Will there ever be a support option for personal accounts where we can request to get back into our account sooner than 24 hours after a "Too many codes" situation?   If you are going to force us to use a personal account to backup MSA, then MS better **bleep** well provide a way to get into our personal accounts without a 24 hour wait when MFA goes awry. 

too many codes-mobile.png

Who has any solutions... besides waiting for 24 hours?   

@sabinasmith can you help if Alex is busy?
 



 

Copper Contributor

@Scot Bickell I do not have a solution to get you in sooner but wanted to note a couple things that may help others.  I am also the Admin but my org is only 4 E3 users (and three are me).  I recently upgraded my iPhone 12 to a 14 and restored they iPhone from the cloud.  All my MS Authenticator items were there (I did not have to restore from backup) but the E3 365 items in Authenticator I had to log back into each account security (on computer) and re-scan the barcode for the MFA.  My MS Live accounts all I had to do was log in on MS Authenticator.   All my other non MS accounts were there.

 

To login to my 365 accounts I think I chose the SMS option when prompted since the Authenticator was not setup on that phone.  I think I used my LastPass authenticator code on one to try it. I do have second android phone I could have used for he prompt but chose not to.  I also have Last Pass Authenticator on the iPhone.  Now that one you can restore all the accounts on the new phone and that still worked for the 365 accounts.  The LastPass app was not properly restored from the iPhone cloud backup restore.  I uninstalled it and restored the backup.  I guess the MS Authenticator is different due to the push and the iCloud backup did not fully restore the E3 accounts.  I already read about that so was prepared.

 

One question I do have on MS Authenticator backups.  If I backup MS Authenticator on my iPhone to a MS Live Account and backup the one on my android to the same MS Live account, will that create an issue?  I wound up creating a second MS Live account just to backup the android since I did not want to mess up the backup on the iPhone.

Copper Contributor

Hi @Alex Weinert could you please clarify whether one recovery account can be used for multiple backups (e.g. backup with Apple ID "AAA" and backup with Apple ID "BBB")?

 

Even ChatGPT is confused and suggests: "To avoid potential issues, it's generally recommended to use separate recovery accounts for different primary accounts, especially if they're associated with different Apple IDs. This ensures that each backup is distinctly managed and easily recoverable without confusion or conflict. Given these considerations, if you intend to use the same recovery account for both Apple IDs, it would be prudent to first verify with Microsoft's support or documentation to understand how the app will manage these backups. This will help ensure that you don't accidentally lose access to your authentication data for either Apple ID."

 

@rincman Did you find out meanwhile?

Copper Contributor

Hello @Alex Weinert ,
can you please make the Microsoft’s cloud storage provider available for iOS devices, as my company disabled the option to use iCloud.
Thanks

Version history
Last update:
‎Jul 24 2020 01:29 AM
Updated by: