Microsoft two-factor authentication bug with identify verification apps

2 points

8 years ago

I protected my Microsoft account with 2-factor authentication using Google Authenticator for perhaps 2 years. Until 27 October 2018, if I logged into outlook.com or onedrive.live.com, I would be prompted for user ID, password, and a token from Google Authenticator. On 27 October 2018, I made a change. I removed 2-factor authentication from my account, only to immediately add 2-factor authentication right back on with Google Authenticator and 1Password OTP. The two code generators are in sync.

Since 28 October 2018, when I log into outlook.com or onedrive.live.com, I am NOT prompted to provide a one time code. The only time I am prompted to provide a code in the Microsoft environment is when I enter the MS account security page. This does not seem like correct behavior, having only the account security page of the overall MS cloud computing environment 2fa protected, but leaving email and documents unprotected. Nor does this new behavior match prior behavior before the change on 27 October 2018.

I have full control over my account at this time.

I have been able to replicate this behavior across 3 browsers (Firefox, Chrome, and Safari. Note Safari is a naked browser with no add-ins) and the incorrect behavior persists since 28 October.

I submitted the bug report to Microsoft Security Response Center <[email protected]>, who acknowledge it seemed like a bug but closed the issue on their end without taking action. They asked if the issue persists to resubmit with a bunch of stuff that is way outside my wheelhouse.

* Description of the vulnerability

Detailed steps required to consistently reproduce the issue

Short explanation on how an attacker could use the information to exploit another user remotely

* Proof-of-concept (POC), such as relevant code samples, a video recording, crash reports, or screenshots

Does anybody know a person in Microsoft who might be willing to take this up?