See the entire conversation

18 replies and sub-replies as of Oct 14 2021

Did you see this, @Lee_Holmes ? Guy locked himself out of MSA MFA by removing his phone number as a login alias. Login is now unrecoverable.
Tagged @kgizdov into the thread so they know!
I just published The efficiency of Microsoft. Or how the Microsoft MFA system almost brought me to a complete nervous breakdown in under 24 hours. @Microsoft #MFA #Security #Bug
- I am SO sorry. Please accept my apologies. Thank you for surfacing & including the details. The team has diagnosed. Was caused by a recent regression. Fix is being deployed. Will go live worldwide overnight. We will also debug and fix the support experience as well.
Thanks Scott and Mat for acknowledging and routing this quickly to the right place -- and great turnaround from Alex. This has turned into a net positive exposure for Microsoft.
Thanks. It's appreciated. However, I've also pointed out very specific MFA procedure & policy issues currently plaguing the entire system. They should be addressed too. Otherwise, when inevitably another bug surfaces, we will be right back here. I hope that can be avoided. :)
Thank you so much for your report. I am an program manager on @Alex_A_Simons's team who is helping to investigate this issue. Would you mind DMing me so we can connect over email to discuss further?
Also, do you think this is worthy for the Microsoft Bug Bounty Program, section Microsoft Identity?
Please send me a DM - want to understand the MFA issue you are highlighting.
Please also fix the payment issues plaguing Indian users... And it'll be great if you can unify your services that are spread across so many different domains - very confusing!…
Are you going to fix the recovery codes to work in less than 30 days also? I was TERRIFIED when I needed to make my MS accounts (with thousands in purchases) rely on the functioning and not-being-stolen of a cellphone, and now I learn the recovery code is useless!?
As a general rule I'd LOVE to just have a button that says "look I understand the risks, I don't want to make my MS account worth thousands of dollars depend on my delicate and easily-stolen cellphone, please just let me keep using email or SMS".
I love the Identity team, seriously. They are incredibly helpful and kind. One of the things that I hope that comes out of this is an understanding that support is really problematic for customers. I know that’s not on the identity team, but I hope it spurs discussions.
Impressive, kudos to the crew.
Looks like a place to complain about MFA. Why a user can add an Azure MFA method under mySignins without reauthentication? (It asks to reauthenticate when adding a FIDO2 key)
Here's a @TheRegister report. The #MFA topic for @Microsoft services is important. I find #identitymanagement for #SOHO #LAN is unnecessarily tricky. The non-paid root account (thus poorly supported) and the 30 days code-based recovery are ill-considered.
User locked out of Microsoft account by MFA bug, complains of customer-hostile support
'So sorry' says Microsoft Identity VP – but its unhelpful support systems will be hard to fix