Better late than never
Australian security consultant Brett Randall posted about the security hole over the course of several months and said he saw more than 100,000 views on that LinkedIn post.
“This now restores Microsoft Authenticator to be compatible with other phone-based TOTP authentications. It no longer allows accidental overwriting of TOTP keys if certain conditions, including reused email addresses, exist, which would have locked users out of unrelated systems with little warning,” Randall wrote on LinkedIn. “Thank you, Microsoft, for fixing this issue, even if it was more difficult than it should have been to get recognition that the issue existed.”
Tim Erlin, API security lead at Wallarm, was one of many users last month who confirmed the Microsoft Authenticator issue. “While it seems that it was not easy to handle, it is good to see that Microsoft has fixed this issue with its Authentication program. There is no doubt that it will prevent future headaches for their users,” said Erlin.
Source link