The efficiency of Microsoft. Or how the Microsoft MFA system almost brought me to a complete nervous breakdown in under 24 hours.
Update 12/10/21, 10:15 UTC: I never imagined this post would reach the front page on Hacker News and gather so much support. Thank you all! Please check the bottom of the article for some changes that took effect overnight.
TL, DR: If you have MFA enabled on your Microsoft account, this automatically adds your phone number as a sign-in alias, supplementing an attack surface to your account. Attempting to remedy this issue by limiting your phone number to only be used during MFA removes your phone number from the MFA backend instead while leaving it on your account. That prevents MFA from working altogether, but it does not disable it for the account. Thus, leaving your account completely inaccessible forever. Microsoft support will then blame their bug on you, the user, and refuse to acknowledge the issue clinging to an internal policy set up entirely incorrectly. If you think account recovery, MFA setup, password reset or account reinstatement forms will work, you would be wrong. All of these rely on the same system that has been allowed to enter an unsupported state and cannot recover independently.
The long bit
If you find yourself immediately thinking: “This is just the next Microsoft hater!” or “What a bunch of nonsense…” or even “That’s just inflammatory!” then, please, oh please, give me a chance to tell the story after which I’m sure you will agree with me that this is a severe bug that needs fixing asap.
We’ve all heard it; we’ve all been there, users complaining about Microsoft forcing MFA on them. Users having mad trouble because most don’t understand it and others because all of a sudden, they have to install yet another MFA app. It’s a mess. This story is not that kind of a mess. I believe what happened to me to be an entirely new set of circumstances portraying the dangers Microsoft has inadvertently introduced to users by trying to reinvent the wheel.
First, let me set some expectations (as Microsoft support has repeatedly said to me these past days). I have had 2FA on my long-standing personal Microsoft account since it was available, long before the recent MFA system they introduced. I am, what they call on the Interwebz, tech-savvy enough to understand what MFA (multi-factor authentication) is, how it works and why everyone should have it. I was there when Facebook demanded you have a phone-number-only 2FA and did not allow TOTP. I was there when they realised this was a horrible idea and allowed users to have 2FA with authenticator apps and recovery codes. And precisely because I was there, I could get the tiniest chance at recovering my account in 30 days. If you were not there and do not currently have an account recovery code, for the love of all that is good, go and create one immediately. Store it in a safe place, and even then, read this article. It will help you protect your things from a broken system no one is willing to fix.
How it started
Two days ago, I got an email in my Gmail that my Microsoft account ***@***.com has been renamed to ***77@***.com. I immediately clicked on the “That was not me” button and got in touch with support. After a couple of long hours, the MS tech told me that it was all OK. It was just a mistake by someone else incorrectly entering their email as their sign-in alias only. My question as to why I did not get any previous emails asking to confirm said sign-in alias was dismissed. The tech said it was not necessary to verify sign-in aliases. I didn’t believe that.
I logged into my Microsoft account and started looking around. There was no information changed and no strange logins from strange places. All looked in order. However, when going over the MFA setup and confirming the different options, I noticed something. When Microsoft recently forced me to switch my original MFA method away from Authy codes and two emails, it also forced me to install the Microsoft Authenticator and add my phone number. That inadvertently added my phone number as a sign-in alias to my account. I did have to verify it too. To anyone that knows how to use the Internet, my phone is public knowledge. And even though Alex Weinert, Director of Identity Security at Microsoft, has been urging people to stop using phone-based MFA for a year now, Microsoft still does not allow MFA unless you give them your phone number. You are also required to verify it and add it as a sign-in and recovery option.
How it’s going
I was not about to let people try to take over my account using my phone number. I went into the sign-in preferences menu (not the MFA or recovery options menu) and unticked the phone number as a sign-in alias. Note that I did not remove it from the account, recovery option, or MFA setup.
Less than two seconds later, the page I was looking at turned blank and then displayed an error: “We are sorry, the page you requested cannot be found. The URL may be misspelled or the page you’re looking for is no longer available.”.
When I tried to log in again, I got the “There’s a temporary problem. There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.”
In under 30 seconds, all my devices were automatically logged out. My workstation, laptop, and phone all started throwing errors that I needed to sign in again or fix a problem on my account.
At first, I was like, “What? I need to re-login everywhere… Oh, c’mon”. But quickly found out that is no longer possible. Any subsequent attempt at logging in has resulted in me seeing the “There’s a temporary problem” page.
I thought because I’ve changed a security option, I might need to let the system re-initialise its secrets or something. Sometimes, that is necessary when stuff depends on good ol’ AAD DS (Azure Active Directory Domain Services). OK, let’s change my password. Right, enter my email, “Next”, enter my password, “Forgot password”, enter my recovery email, “Next”, enter my old Authy code… Wait, what? Why does it want my Authy code? I have the Microsoft Authenticator set up. Good thing I did not erase that. OK, enter my Authy code “Next”. I am greeted with the “Reset your password” screen. Hooray! Enter the new password, repeat password, “Next”. Error: “There’s a temporary problem with the service. Please try again. If you continue to get this message, try again.” What??? Like, seriously, what?
OK, I must be dreaming. I’ve given it several pieces of correct info. That should have worked. Anyway, let’s reset the MFA. Maybe that’s the issue. Go to aka.ms/mfasetup and enter my email, ‘Next’. Error: “We couldn’t find an account with that username. Try another, or get a new Microsoft account.”
Excuse me??? What do you mean you have no knowledge of my account. I’ve just tried to reset its password, and you knew it then, didn’t you. You stinking pile of cloud functions, you!!!
OK, don’t lose it. You’re smarter than this. Mom’s always told you how smart and clever you are. Let’s try logging in to some other endpoint. I’m paying for Office365; let’s try that:
That error… That error “MSSPError=-805312371”. That error returns zero results in all web searches to date. I am about to cry.
OK, OK. Think. You can do something; you can fix it. I mean, it’s your account. There must be a way. Let’s see… Hmm…
Aha! I’ve got it. I will force it to use my phone number, and then the system will realise it needs to fill in the info somewhere.
… Like, who the hell do you think you are, computer?! I am your master. Your master! Do as I say! Log me into my account!
Let me try and jerk the security info directly.
Seriously… Am I a joke to you?! Oh, wait, I know. I will just sign in with Windows Hello. That is part of the new MFA and will work for sure. (I guess you already know where this is going…)
As you can see here, the issue is in plain view. The account is still fully configured and requires MFA, but the MFA system cannot provide it as it short-circuits or even crashes and returns nill. My account in the MFA system has been cleared just by not allowing sign-in with my phone number. But since that action has not removed the phone from the account or the recovery options, the account login still thinks with good reason that MFA should happen. However, it cannot. I’ve been locked out of the account for good.
Recovery options
At this point, it was time for me to reach out to famously dependent Microsoft Account support. Ah, yes, but I could not log in to my account, and as such, I could not take advantage of the paid options on support. I had to create a new temporary account and try to convince someone to help a filthy casual.
After literally hours in the online chat, trying to explain what had happened to a support assistant, I was given the option to submit the account recovery form. Alright, let’s do it. I filled it out, gave it my passwords, aliases, all other info, told it I have purchased stuff, gave it my PayPal, my last payments, last emails, latest email subjects, all it wanted. I thought that’s that. The next day I got a response:
“(…) Be persistent and keep trying to recover your account. Each time you try, you may remember new details that will help the automated recovery program validate you as the true owner of the account https://account.live.com/resetpassword.aspx.
If you are unable to recover the account, consider creating a new account https://support.microsoft.com/en-us/products/microsoft-account.”
Are you serious now? C’mon, dude, for real?! Honestly, like, man, you gotta be kidding me, right?! No, it turns out the man was not kidding me after all. The dude was serious that having all the information about the account combined with communicating from the primary email on the account is purely a lucky coincidence or the world’s best hack ever attempted. I bet that Azure function felt very proud afterwards, telling how it thwarted my futile attempts at accessing my own account.
Anyway, on to contacting support once again. Few hours in chat session again, doing everything anew, I am given the account reinstatement form to fill in. I fill that in. And nothing. Guess why? My account is not suspended. Why would it occur to anyone that this will work?! How do you reinstate a fully active account? If you didn’t guess already — you do not; you let it remain active without doing anything. Bill Gates would be proud of his legacy of lazy employees finding the easiest way of doing things.
And on the third day
I contacted Microsoft support again. This time I was given a phone number to talk to a human from the Microsoft Accounts Support department that was sure to fix my issue. Later, that same Microsoft Accounts Support tech will say, “We have no reports of issues on our platform. There are no bugs. Please login with the required credentials as your account is set up for MFA. We will not escalate your issue as it is not a hacking attempt. Goodbye and have a nice day!” and hung up.
Hello! I am making a report right now. Are you listening? No, as it turns out, they were not listening. I called again and received the same damning response that it is Microsoft policy not to look at accounts that appear not to have been hacked. It also is Microsoft policy not to take me seriously that they have a bug, even though I have video proof of the login page not working.
The conclusion
Over the last few days, I’ve accumulated several support tickets. I’ve reached out to friends and colleagues with the hope of getting some ideas. None has come to light. I’ve written to Microsoft support in email and Twitter but to no avail. I’ve tried to log in every which way in all services that I can think of, and even tried to request a refund for the services I’m paying for but cannot access. All of these have gone into the wind.
Finally, I remembered that I saved an account recovery code somewhere in my password manager a long time ago. This recovery option was not mentioned by any support tech. It is also not very well documented on the Microsoft pages. I urge anyone to check if they have one and, if not, to create one immediately. Clearly, all other advertised methods of recovery have failed miserably.
I entered the recovery code and was greeted with the page to rewrite all the account’s security information 30 days from now. Wait, what?! Who the hell comes up with these policies? I imagine I would need to use that code only when my account has been hacked, taken over, or another disaster. Why would I give a 30-day notice to my hacker to secure their new account or wait 30 days to access my account in an emergency? What is this — opposite world?! Who else are they (Microsoft in its infinite wisdom) worried about having that account recovery code? I don’t even know any words that can explain how I feel about this…
Anyway, the gist of it is that Microsoft have a bug. Their system should have never allowed me to configure it in a way it cannot function. And it should have allowed me to recover normally afterwards in case of an issue. Mistakes happen, and bugs exist, but the real problem here is the design, architecture and policy put in place.
It’s a problem when the architecture has not communicated the configuration changes and is not synchronised. It is also worrying that only half of Microsoft’s security systems can operate with a phone number that is not a sign-in alias.
Furthermore, with its new and poorly designed policy, this new system is fiddly to the point that it is entirely incapable of recovering when something happens. Not only that, but Microsoft employees are deliberately trained to refuse to accept any feedback about issues their paying customers are facing. All that was needed was a human with access to check my info, see that account has not been successfully logged into for a few days, and verify my steps to reproduce the bug. That would have taken an experienced tech some 5–10, maybe even 15 minutes. Is Microsoft not able to afford to pay someone for 15 minutes of someone’s time to verify a severe bug in their security system?
I don’t think so. But I hope at least you, the reader, will make sure to have an account recovery code stored somewhere.
Aftermath (Update 12/10/21, 10:15 UTC)
The above post reached the front page on Hacker News! I never thought it possible, but people have done something about it too. Microsoft’s Vice President Identity Division, Alex Simons, has publicly apologised on Twitter and promised a fix is being deployed.
Indeed, this morning I was able to log in to my account. But before you get too excited, all that has changed is that the sign-in preferences menu and, I’m guessing, the respective system has been disabled. They still have the bug and the poorly written policy. For example, when I try to enable password-less login, I get the following:
However, my phone number is no longer listed on my account. The system tries to reach my phone, but that is no longer on my account. But the system clearly knows about it and wants to send a notification. Unfortunately, it cannot because it also requires the phone number to be a sign-in option. It’s a crazy loop of madness.