The efficiency of Microsoft. Or how the Microsoft MFA system almost brought me to a complete nervous breakdown in under 24 hours.

The long bit

If you find yourself immediately thinking: “This is just the next Microsoft hater!” or “What a bunch of nonsense…” or even “That’s just inflammatory!” then, please, oh please, give me a chance to tell the story after which I’m sure you will agree with me that this is a severe bug that needs fixing asap.

How it started

Two days ago, I got an email in my Gmail that my Microsoft account ***@***.com has been renamed to ***77@***.com. I immediately clicked on the “That was not me” button and got in touch with support. After a couple of long hours, the MS tech told me that it was all OK. It was just a mistake by someone else incorrectly entering their email as their sign-in alias only. My question as to why I did not get any previous emails asking to confirm said sign-in alias was dismissed. The tech said it was not necessary to verify sign-in aliases. I didn’t believe that.

How it’s going

I was not about to let people try to take over my account using my phone number. I went into the sign-in preferences menu (not the MFA or recovery options menu) and unticked the phone number as a sign-in alias. Note that I did not remove it from the account, recovery option, or MFA setup.

The sign-in preferences menu looks like this.
Kicked me out very quickly
My account page at the moment.
Cannot change password
Who am I really?
That error though
your Gods have forsaken you
no caption, leave me alone, I’m thinking
TIFU
But I’m paying you!!!
I gave you the code, you little ****

Recovery options

At this point, it was time for me to reach out to famously dependent Microsoft Account support. Ah, yes, but I could not log in to my account, and as such, I could not take advantage of the paid options on support. I had to create a new temporary account and try to convince someone to help a filthy casual.

And on the third day

I contacted Microsoft support again. This time I was given a phone number to talk to a human from the Microsoft Accounts Support department that was sure to fix my issue. Later, that same Microsoft Accounts Support tech will say, “We have no reports of issues on our platform. There are no bugs. Please login with the required credentials as your account is set up for MFA. We will not escalate your issue as it is not a hacking attempt. Goodbye and have a nice day!” and hung up.

The conclusion

Over the last few days, I’ve accumulated several support tickets. I’ve reached out to friends and colleagues with the hope of getting some ideas. None has come to light. I’ve written to Microsoft support in email and Twitter but to no avail. I’ve tried to log in every which way in all services that I can think of, and even tried to request a refund for the services I’m paying for but cannot access. All of these have gone into the wind.

Aftermath (Update 12/10/21, 10:15 UTC)

The above post reached the front page on Hacker News! I never thought it possible, but people have done something about it too. Microsoft’s Vice President Identity Division, Alex Simons, has publicly apologised on Twitter and promised a fix is being deployed.

The system can’t reach my phone

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Konstantin Gizdov

Konstantin Gizdov

DevOps, Arch Linux TU, Particle Physics PhD