Photo credit: www.csoonline.com
“It seems the solution, or rather a viable workaround, is to manually enter the Secret Key from the Identity Provider into the Authenticator app during its setup phase,” shared a concerned user. “This approach, however, presents challenges in a corporate setting where most end users are not familiar with the complexities of authentication processes, making a random sequence of characters seem quite daunting.”
‘A significant challenge with usability and cybersecurity’
This issue gained traction recently after Australian IT consultant Brett Randall highlighted it on LinkedIn.
In his post, Randall recounted his experience during a recent vendor training session: “While logging into their platform, we encountered a QR code for multi-factor authentication (MFA). Several participants opened the Microsoft Authenticator app, scanned the QR code, and accidentally replaced another application’s TOTP (Time-based One-Time Password) key,” Randall noted.
Source
www.csoonline.com